Resubmissions

15-10-2020 13:59

201015-d11m2zjdgs 10

13-03-2020 03:32

200313-8w7dt2yb5n 9

Analysis

  • max time kernel
    75s
  • max time network
    73s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    15-10-2020 13:59

General

  • Target

    IRSdeclaration‮cod.exe

  • Size

    282KB

  • MD5

    fe3fd53ddc7c229b1150d970a05947c0

  • SHA1

    3abeddbbbd29310290955cc7c1a895550c92ab96

  • SHA256

    c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72

  • SHA512

    8b94e67f48f90d7a0e463a7623ba6f87a5f4108f33587c8f579f29aa3c9b0a22f7e134470824d25dccb552bfc868b18cd3f05ef09aaceef2bab6984c21f203b4

Malware Config

Extracted

Path

C:\5138E8-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\5138E8-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\5138E8-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .5138e8 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_5138e8: Xc5zSrtrA6QNffbGlMQ+siLG0O/0MCA2nxYcN14r4dggoI+yPr KbXcVFX9JGddBFzhp8tqtLcajb2ON/lvUFdxka3xBWAX9a41Zj AnVTWgB7qIQl9QczCSHu4vK3GwTTy5H1i0QEJTT4zNZVy1a4Tg 7PzFb1hqdBzmFpMR23ezvZoxBFDLcBPyiuZTEtqgC3hsbndUkF 5/Lr3FaHkLpvOEzZ9N2nk5iS0l3iiGSaXcwYrdT4UsWjooI7dQ 00us+4l4ppWqEPYBl83jH9n+E7hwpAKYe+VEjaRg==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies service 2 TTPs 5 IoCs
  • Drops file in Program Files directory 17092 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21217 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe
    "C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:3692
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\5138E8-Readme.txt"
      2⤵
        PID:8180
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\E07D.tmp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:7384
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 3944
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:7104
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:5580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Collection

    Data from Local System

    1
    T1005

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\E07D.tmp.bat
      MD5

      70d09fa719ebb277ef5dcb76c7060664

      SHA1

      d2c588d4524bab81cda6d6d988b2726fbaddd2b2

      SHA256

      88da1c28de6226e2092ff2ea5e7b3f000aed95794e502eef9c00bcc2fb7d4845

      SHA512

      8806c8bc5baf67d89c4d546395e1e5206f658b55bde8b7271290686ecbbae5a5f54ed338213b26f767db243c46c1affda5dce64d8021208dab9159ae59b90f83

    • C:\Users\Admin\Desktop\5138E8-Readme.txt
      MD5

      fa68eea91e52b87c18a98ca8cd8a0ab9

      SHA1

      94dfe79a6d6dc9ab25cec05a5dacaef9edde6386

      SHA256

      a997318e47d2231cf3d8ecdc337d54af84b5fadf84bd6070e75529f3087c7137

      SHA512

      fed6bf7636f42344595ddbd878b0e33a8f7d1e924e71bfea6ba491994e63e345dcf3eb2c17c3148a48e5d0320377cbbd45d46597de9d1a007ddd66207d5991c0

    • memory/3692-0-0x0000000000000000-mapping.dmp
    • memory/7104-4-0x0000000000000000-mapping.dmp
    • memory/7384-2-0x0000000000000000-mapping.dmp
    • memory/8180-1-0x0000000000000000-mapping.dmp