Analysis
-
max time kernel
227s -
max time network
108s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
16-04-2020 10:39
Static task
static1
Behavioral task
behavioral1
Sample
1.ps1
Resource
win7v200410
Behavioral task
behavioral2
Sample
1.ps1
Resource
win10v200410
General
-
Target
1.ps1
-
Size
1.5MB
-
MD5
8336572266de59a362177d39dfd212be
-
SHA1
9b2cea93d845507cd7cd7abde1b5fcc8218a3d76
-
SHA256
b692668c4cb71b1029d7a0b062fa5177fff06105da3a35c070466fa3992f7081
-
SHA512
fcfcc5869e5248da747bc9a68d5cbc695892634ed81dd130a9ffbd487ce70a8a5991c6309dafc2a6f32ba2a2c2c0997d2f4fa373ac6b9e405f6636c91f5c16d4
Malware Config
Extracted
C:\Users\Public\Libraries\7B3FE5-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Program Files\7B3FE5-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\7B3FE5-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Extracted
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\7B3FE5-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
Signatures
-
Netwalker
Ransomware believed to be a variant of MailTo.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeImpersonatePrivilege 1764 powershell.exe -
Suspicious behavior: EnumeratesProcesses 229 IoCs
Processes:
powershell.exepowershell.exepid process 1660 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe 1764 powershell.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
powershell.execsc.execsc.exepowershell.execsc.execsc.exedescription pid process target process PID 1660 wrote to memory of 1676 1660 powershell.exe csc.exe PID 1660 wrote to memory of 1676 1660 powershell.exe csc.exe PID 1660 wrote to memory of 1676 1660 powershell.exe csc.exe PID 1676 wrote to memory of 1620 1676 csc.exe cvtres.exe PID 1676 wrote to memory of 1620 1676 csc.exe cvtres.exe PID 1676 wrote to memory of 1620 1676 csc.exe cvtres.exe PID 1660 wrote to memory of 1616 1660 powershell.exe csc.exe PID 1660 wrote to memory of 1616 1660 powershell.exe csc.exe PID 1660 wrote to memory of 1616 1660 powershell.exe csc.exe PID 1616 wrote to memory of 1732 1616 csc.exe cvtres.exe PID 1616 wrote to memory of 1732 1616 csc.exe cvtres.exe PID 1616 wrote to memory of 1732 1616 csc.exe cvtres.exe PID 1660 wrote to memory of 1764 1660 powershell.exe powershell.exe PID 1660 wrote to memory of 1764 1660 powershell.exe powershell.exe PID 1660 wrote to memory of 1764 1660 powershell.exe powershell.exe PID 1660 wrote to memory of 1764 1660 powershell.exe powershell.exe PID 1764 wrote to memory of 1848 1764 powershell.exe csc.exe PID 1764 wrote to memory of 1848 1764 powershell.exe csc.exe PID 1764 wrote to memory of 1848 1764 powershell.exe csc.exe PID 1764 wrote to memory of 1848 1764 powershell.exe csc.exe PID 1848 wrote to memory of 1748 1848 csc.exe cvtres.exe PID 1848 wrote to memory of 1748 1848 csc.exe cvtres.exe PID 1848 wrote to memory of 1748 1848 csc.exe cvtres.exe PID 1848 wrote to memory of 1748 1848 csc.exe cvtres.exe PID 1764 wrote to memory of 1740 1764 powershell.exe csc.exe PID 1764 wrote to memory of 1740 1764 powershell.exe csc.exe PID 1764 wrote to memory of 1740 1764 powershell.exe csc.exe PID 1764 wrote to memory of 1740 1764 powershell.exe csc.exe PID 1740 wrote to memory of 1052 1740 csc.exe cvtres.exe PID 1740 wrote to memory of 1052 1740 csc.exe cvtres.exe PID 1740 wrote to memory of 1052 1740 csc.exe cvtres.exe PID 1740 wrote to memory of 1052 1740 csc.exe cvtres.exe PID 1764 wrote to memory of 8060 1764 powershell.exe notepad.exe PID 1764 wrote to memory of 8060 1764 powershell.exe notepad.exe PID 1764 wrote to memory of 8060 1764 powershell.exe notepad.exe PID 1764 wrote to memory of 8060 1764 powershell.exe notepad.exe -
Drops file in Program Files directory 7379 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar powershell.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\EquityLetter.Dotx powershell.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\7B3FE5-Readme.txt powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0157191.WMF powershell.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d powershell.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT powershell.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif powershell.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yakutat powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13 powershell.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Seoul powershell.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru powershell.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png powershell.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf powershell.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\IPIRM.XML powershell.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Trek.thmx powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF powershell.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF powershell.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo powershell.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca powershell.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\7B3FE5-Readme.txt powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF powershell.exe File opened for modification C:\Program Files\Windows Journal\Templates\To_Do_List.jtp powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSO.ACL powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG powershell.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\localedata.jar powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MML2OMML.XSL powershell.exe File opened for modification C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl powershell.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC powershell.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee powershell.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9665.tmp" "c:\Users\Admin\AppData\Local\Temp\3poimcy0\CSC106ED3C496F24ED89673B010989CBD2.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES975E.tmp" "c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\CSC14D4317888C74D7EA5F96B15AEFF55AF.TMP"3⤵
-
C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe"C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" -NonInteractive -NoProfile -file C:\Users\Admin\AppData\Local\Temp\1.ps12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF67.tmp" "c:\Users\Admin\AppData\Local\Temp\z54ickbr\CSC199D470A5CD34F61AED790E736A93F47.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC042.tmp" "c:\Users\Admin\AppData\Local\Temp\2kll20yb\CSC415934B7F79646BBA8969BC97F8B949D.TMP"4⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\7B3FE5-Readme.txt"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.dll
-
C:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.dll
-
C:\Users\Admin\AppData\Local\Temp\RES9665.tmp
-
C:\Users\Admin\AppData\Local\Temp\RES975E.tmp
-
C:\Users\Admin\AppData\Local\Temp\RESBF67.tmp
-
C:\Users\Admin\AppData\Local\Temp\RESC042.tmp
-
C:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.dll
-
C:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.dll
-
C:\Users\Admin\Desktop\7B3FE5-Readme.txt
-
\??\c:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.cmdline
-
\??\c:\Users\Admin\AppData\Local\Temp\2kll20yb\CSC415934B7F79646BBA8969BC97F8B949D.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.cmdline
-
\??\c:\Users\Admin\AppData\Local\Temp\3poimcy0\CSC106ED3C496F24ED89673B010989CBD2.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\CSC14D4317888C74D7EA5F96B15AEFF55AF.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.cmdline
-
\??\c:\Users\Admin\AppData\Local\Temp\z54ickbr\CSC199D470A5CD34F61AED790E736A93F47.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.cmdline