nefilim | 3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
98s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
Size

70KB
MD5

193e702195e8ed5c50cc482569559462
SHA1

47a5307b78fa2c60c20ce63c553aef4a6d5a3e1c
SHA256

2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e
SHA512

d5ae5a8bccfc08bc07834caaebaed7a6cde1911170eb8de99322bf15be3ad111b5042d6401dcb06e64a6a429eee19d964878089af205474b377b77627bb63a35
SSDEEP

768:lXStkFWTBhyugDC60CPJkEBx9w7mSDh3vkkjvshT3ED18nv04ZPqpb348Uq1krHO:liMWV3gDCk6EBwT/kJbvkbuq1krj0z

Score

10^/10

nefilim discovery ransomware

Malware Config

Signatures

Nefilim
Ransomware first seen in early 2020 which shares code with the Nemty family. Rewritten in Golang in July 2020.
ransomware nefilim
Nefilim family
nefilim
Renames multiple (171) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2816	timeout.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3532	3076	2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe	82
PID 3076 wrote to memory of 3532	3076	2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe	82
PID 3076 wrote to memory of 3532	3076	2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe	82
PID 3532 wrote to memory of 2816	3532	cmd.exe	84
PID 3532 wrote to memory of 2816	3532	cmd.exe	84
PID 3532 wrote to memory of 2816	3532	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
C:\Users\Admin\AppData\Local\Temp\2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe bcdedit /set shutdown /r /f /t 2
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 3 /nobreak && del "C:\Users\Admin\AppData\Local\Temp\2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe" /s /f /q
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads