netwalker | b692668c4cb71b1029d7a0b062fa5177fff06105da3a35c070466fa3992f7081

General

Target

1.ps1
Size

1.5MB
MD5

8336572266de59a362177d39dfd212be
SHA1

9b2cea93d845507cd7cd7abde1b5fcc8218a3d76
SHA256

b692668c4cb71b1029d7a0b062fa5177fff06105da3a35c070466fa3992f7081
SHA512

fcfcc5869e5248da747bc9a68d5cbc695892634ed81dd130a9ffbd487ce70a8a5991c6309dafc2a6f32ba2a2c2c0997d2f4fa373ac6b9e405f6636c91f5c16d4

Score

10^/10

ransomware netwalker

Malware Config

Extracted

Path

C:\Users\Public\Libraries\7B3FE5-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

Extracted

Path

C:\Program Files\7B3FE5-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

Extracted

Path

C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082\7B3FE5-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

Extracted

Path

C:\Program Files\Microsoft Office\CLIPART\PUB60COR\7B3FE5-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .7b3fe5 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_7b3fe5: eXyhIy81RXpMhaQkxb0XoaUrlmvTiTLAQ4Dm7vG3MXRoW+/kuO nSte7EQumeDE/ANEOjbScN2xjTov3ae6LwwlJofmW7gWB565Yy i4N8Vaq6Yan8XmV6RaNt8VbFYWt+DiOToTcq0gpxkePFzUY+vk NTFLjNhjyTD0cffKeDb7KqxbvE+OF5+6M7nS+EgWbItqhOpK2B r4aVFvCD0cNBMjnNts0A7x+CtQ865pcDQxWHZnxjGkC0Xz0FNr omOqj2Ctn0dfEVtkX/uaxd9cSTf8RdXCtI6evcKQ==}<Kw�B�?

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

Signatures

Netwalker
Ransomware believed to be a variant of MailTo.
ransomware netwalker

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeImpersonatePrivilege	1764	powershell.exe

Suspicious behavior: EnumeratesProcesses 229 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1660	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

powershell.execsc.execsc.exepowershell.execsc.execsc.exe

description	pid	process	target process
PID 1660 wrote to memory of 1676	1660	powershell.exe	csc.exe
PID 1660 wrote to memory of 1676	1660	powershell.exe	csc.exe
PID 1660 wrote to memory of 1676	1660	powershell.exe	csc.exe
PID 1676 wrote to memory of 1620	1676	csc.exe	cvtres.exe
PID 1676 wrote to memory of 1620	1676	csc.exe	cvtres.exe
PID 1676 wrote to memory of 1620	1676	csc.exe	cvtres.exe
PID 1660 wrote to memory of 1616	1660	powershell.exe	csc.exe
PID 1660 wrote to memory of 1616	1660	powershell.exe	csc.exe
PID 1660 wrote to memory of 1616	1660	powershell.exe	csc.exe
PID 1616 wrote to memory of 1732	1616	csc.exe	cvtres.exe
PID 1616 wrote to memory of 1732	1616	csc.exe	cvtres.exe
PID 1616 wrote to memory of 1732	1616	csc.exe	cvtres.exe
PID 1660 wrote to memory of 1764	1660	powershell.exe	powershell.exe
PID 1660 wrote to memory of 1764	1660	powershell.exe	powershell.exe
PID 1660 wrote to memory of 1764	1660	powershell.exe	powershell.exe
PID 1660 wrote to memory of 1764	1660	powershell.exe	powershell.exe
PID 1764 wrote to memory of 1848	1764	powershell.exe	csc.exe
PID 1764 wrote to memory of 1848	1764	powershell.exe	csc.exe
PID 1764 wrote to memory of 1848	1764	powershell.exe	csc.exe
PID 1764 wrote to memory of 1848	1764	powershell.exe	csc.exe
PID 1848 wrote to memory of 1748	1848	csc.exe	cvtres.exe
PID 1848 wrote to memory of 1748	1848	csc.exe	cvtres.exe
PID 1848 wrote to memory of 1748	1848	csc.exe	cvtres.exe
PID 1848 wrote to memory of 1748	1848	csc.exe	cvtres.exe
PID 1764 wrote to memory of 1740	1764	powershell.exe	csc.exe
PID 1764 wrote to memory of 1740	1764	powershell.exe	csc.exe
PID 1764 wrote to memory of 1740	1764	powershell.exe	csc.exe
PID 1764 wrote to memory of 1740	1764	powershell.exe	csc.exe
PID 1740 wrote to memory of 1052	1740	csc.exe	cvtres.exe
PID 1740 wrote to memory of 1052	1740	csc.exe	cvtres.exe
PID 1740 wrote to memory of 1052	1740	csc.exe	cvtres.exe
PID 1740 wrote to memory of 1052	1740	csc.exe	cvtres.exe
PID 1764 wrote to memory of 8060	1764	powershell.exe	notepad.exe
PID 1764 wrote to memory of 8060	1764	powershell.exe	notepad.exe
PID 1764 wrote to memory of 8060	1764	powershell.exe	notepad.exe
PID 1764 wrote to memory of 8060	1764	powershell.exe	notepad.exe

Drops file in Program Files directory 7379 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\EquityLetter.Dotx	powershell.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\7B3FE5-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0157191.WMF	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	powershell.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif	powershell.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13	powershell.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru	powershell.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png	powershell.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IPIRM.XML	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Trek.thmx	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	powershell.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	powershell.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\7B3FE5-Readme.txt	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF	powershell.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MSO.ACL	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG	powershell.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MML2OMML.XSL	powershell.exe
File opened for modification	C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC	powershell.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee	powershell.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9665.tmp" "c:\Users\Admin\AppData\Local\Temp\3poimcy0\CSC106ED3C496F24ED89673B010989CBD2.TMP"
3⤵
PID:1620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES975E.tmp" "c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\CSC14D4317888C74D7EA5F96B15AEFF55AF.TMP"
3⤵
PID:1732

C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
"C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" -NonInteractive -NoProfile -file C:\Users\Admin\AppData\Local\Temp\1.ps1
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF67.tmp" "c:\Users\Admin\AppData\Local\Temp\z54ickbr\CSC199D470A5CD34F61AED790E736A93F47.TMP"
4⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC042.tmp" "c:\Users\Admin\AppData\Local\Temp\2kll20yb\CSC415934B7F79646BBA8969BC97F8B949D.TMP"
4⤵
PID:1052

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\7B3FE5-Readme.txt"
3⤵
PID:8060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9665.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES975E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF67.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC042.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.dll

Download Submit
C:\Users\Admin\Desktop\7B3FE5-Readme.txt

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2kll20yb\2kll20yb.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2kll20yb\CSC415934B7F79646BBA8969BC97F8B949D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3poimcy0\3poimcy0.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3poimcy0\CSC106ED3C496F24ED89673B010989CBD2.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\CSC14D4317888C74D7EA5F96B15AEFF55AF.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rv4tfw4m\rv4tfw4m.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z54ickbr\CSC199D470A5CD34F61AED790E736A93F47.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z54ickbr\z54ickbr.cmdline

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads