Overview

overview

10

Static

static

10

5ab834f599...c6.exe

windows7-x64

10

5ab834f599...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe

  • Size

    35KB

  • MD5

    70e4b9b7a83473687e5784489d556c87

  • SHA1

    1f594456d88591d3a88e1cdd4e93c6c4e59b746c

  • SHA256

    5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6

  • SHA512

    89878d4a72521a9742fe671979065ea210f7c78975040c28c0c5ec4733d90680d71b45bfe5582baf6e4bc62850777b1b2a68ad8e2dcaf95edc19544622855d2c

  • SSDEEP

    768:+8SQb5hyBBIqa1L4SvEUfBNEUuQjreZBLjpKgk:+8SkLq2VrM8EUuoyjp

Score
10/10
nefilimransomwareupx

Malware Config

Signatures

  • Nefilim

    Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.

    ransomwarenefilim
  • Renames multiple (153) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe
    "C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6.exe" /s /f /q
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 3 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:3380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3664-0-0x0000000000930000-0x0000000000945000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3664-290-0x0000000000930000-0x0000000000945000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3664-343-0x0000000000930000-0x0000000000945000-memory.dmp

    Filesize

    84KB

    Download