Analysis
-
max time kernel
152s -
max time network
10s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
19-10-2020 13:44
General
-
Target
the.ps1
-
Size
902KB
-
MD5
7770c598848339cf3562b7480856d584
-
SHA1
b3d39042aab832b7d2bed732c8b8e600a4cf5197
-
SHA256
ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
-
SHA512
02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
Malware Config
Extracted
C:\ProgramData\Microsoft\User Account Pictures\828670-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\828670-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
-
Drops file in Program Files directory 7579 IoCs
-
Suspicious behavior: EnumeratesProcesses 15586 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\the.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hpvp0jrx\hpvp0jrx.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C4.tmp" "c:\Users\Admin\AppData\Local\Temp\hpvp0jrx\CSCAEF9D3ED5A934D6F84DBFB154F6C25A.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yfiid1z\4yfiid1z.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC716.tmp" "c:\Users\Admin\AppData\Local\Temp\4yfiid1z\CSC491E505C9CBD42B58D3FF43F2DFDA1F.TMP"4⤵
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\828670-Readme.txt"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4yfiid1z\4yfiid1z.dllMD5
e103244a1d18552dea367f20a10b2fa8
SHA1b35ed51447add2bfa12d801daeda6f704389eb1d
SHA25612938e7ad7afc93ee0ece0633d8beb94383dc5f268dde11c450eeea96bedd111
SHA51252198611143337734fcb90adcd4a72b65b3274dc2a96a1cc25aa1c8e526c0e193e7633c4c74d870d7b0cfa75aa01f3aedcfa1c4beb4d07af80d6059ba1c496b7
-
C:\Users\Admin\AppData\Local\Temp\RESB8C4.tmpMD5
d5b0e8e890bdead4128a828f7f4bdc86
SHA1b50a6e4e8524baec3ecb92f14253634317827ea6
SHA256c37db827fefdaf9d195e47e5fb754bf5c38921f9cc32ed00097146031f0eb67e
SHA512b38e051f581285f5cdc32f4d1b39a925da3cbbff9300dafe80c6d7f8bf798bcdfc9b95870f66e3de9e1918f9fcfc26439ef84cb6ce875cfa8908a5f2762d481f
-
C:\Users\Admin\AppData\Local\Temp\RESC716.tmpMD5
bea305c92477ae2d46467d0f51d97702
SHA162fe4a16cceef7b7e0ccd5f7dc615a215a848073
SHA256c71edc74b5106bdd9b105ae6bd55d4f25403ddcaebd47446896b2d82595114ec
SHA512b8e01d1c544f91c9526b5d0dcda6398a16da3ea673ec92d9d4d1d00baecafcc63f965bc68189d94bd2fcc113d5414b98f340b7021790bdeffda35a3aa1ff125e
-
C:\Users\Admin\AppData\Local\Temp\hpvp0jrx\hpvp0jrx.dllMD5
c10b86633d1def285c5af7068d411ab6
SHA1816f464e788db35c6adb1ad2bf274d8f5ba3d8b2
SHA2568525feefbaf15ecf59b576302cea53d3988b654a1c1d5218122a534c8580fe6d
SHA512f8136290f0e7077e37a593a55d1a50ea5fce073ba02125dbcfd30c26f3ed2d6e20e903a92baf02c89edee8510465bbf8a419b265298064a0fb2fbcb61b64ebdc
-
C:\Users\Admin\Desktop\828670-Readme.txtMD5
389fc69af6858d60cbe0834a66e170b0
SHA112b51a082103d67601d0d1c153c20c0814cb6182
SHA256cbebd034709a37c6ed30da6b968c2a73e22e0dde7ca07bcfd4de4c58978c5740
SHA512fd860e476e211205c823f1e2ac05e6e9f711cf3f703f60e818579470723a32f71a01e6f491d60762159444b8f36e7fc51c4b0732a0b88e178b47d594276a2960
-
\??\c:\Users\Admin\AppData\Local\Temp\4yfiid1z\4yfiid1z.0.csMD5
1cae52936facd4972987d3baef367d8d
SHA1ad2b4b58d20f290b9da416cef1ef305cf1df6781
SHA25628b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400
SHA5124ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df
-
\??\c:\Users\Admin\AppData\Local\Temp\4yfiid1z\4yfiid1z.cmdlineMD5
7fffc9d3bf09516bc4998a495874288f
SHA17243e18d4e877cfc3c0a293fabf1978610e11c32
SHA2562a020764433b0efede5f25df8f4a5fa227b8b091e4aa16c95cf2414eb415f890
SHA512b4974f68265f1ae816060cf30107a336ccdb351dab68b7ae98fc8a9adf539c11ed8bb4d300a9fd348a8324e3fb795f95241c99fcd90ee1ba8d3d31f769a3d830
-
\??\c:\Users\Admin\AppData\Local\Temp\4yfiid1z\CSC491E505C9CBD42B58D3FF43F2DFDA1F.TMPMD5
4fa28ed53d39e4c9c2171451ab07a8e3
SHA1eabf681d7b8615f3595a274f9d0ecfb21f71cf6c
SHA256e4b0c5744d31fbcdbecabb66ab364ae567f6c0b2cb346ce60e718a6a23f27535
SHA512d406d7ab1a039c28ebf81553a32b5f884b0d3137652e2cd3348305ec786167f36ee370555e64bd0e5e43f0145c53b5fb77dd3659f2396cc2af0825e70ec58393
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvp0jrx\CSCAEF9D3ED5A934D6F84DBFB154F6C25A.TMPMD5
3c0df5d7d78f6d586bd82cf12cd65546
SHA14c25b3d430eb04e3252f4bff32172a7c9bed512d
SHA25611a1890ea64b27e910a810ed46441ecbddbe0ed75d5477c637ac525eb01b748f
SHA5121aa9c8534a20f35318fbff5e6c76e1ff62c49c7d0bbdbe3ca049845e9be3a0fa1b624a36b7aab75a6a7545d6bd43b086f31baf649acd54b53bfa98fa1ead7683
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvp0jrx\hpvp0jrx.0.csMD5
64db54f88f46e2ecc57b05a25966da8e
SHA1488dbbbab872714609ded38db924d38971a3685f
SHA256e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5
SHA5128791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729
-
\??\c:\Users\Admin\AppData\Local\Temp\hpvp0jrx\hpvp0jrx.cmdlineMD5
c99635e2f9f43c81abb61c23a295076f
SHA112764829518545ae774dbef91d2b1715ccaf7ea6
SHA25645adcb8d9b478f0a6953d4732df59b1f57b6493d614010166d15b7127659cef6
SHA5124e999c4aea7b3ad65e98b4a808417a8274f8eaa2ddc32ea34206573b90db1fbcbff98363c2559bbfe2f07c66cb585a41377a7c4d2dfc0cfb01741ac3af17fcc2
-
memory/1188-31-0x0000000002E00000-0x0000000002E22000-memory.dmpFilesize
136KB
-
memory/1464-25-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1464-28-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1464-14-0x000000001C4E0000-0x000000001C4E1000-memory.dmpFilesize
4KB
-
memory/1464-1-0x00000000024A0000-0x00000000024A1000-memory.dmpFilesize
4KB
-
memory/1464-0-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmpFilesize
9.9MB
-
memory/1464-5-0x000000001C720000-0x000000001C721000-memory.dmpFilesize
4KB
-
memory/1464-29-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1464-4-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/1464-3-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/1464-2-0x000000001ABB0000-0x000000001ABB1000-memory.dmpFilesize
4KB
-
memory/1464-22-0x0000000002590000-0x0000000002592000-memory.dmpFilesize
8KB
-
memory/1464-23-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1464-24-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1464-13-0x0000000002310000-0x0000000002312000-memory.dmpFilesize
8KB
-
memory/1464-26-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1464-27-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/1612-9-0x0000000000000000-mapping.dmp
-
memory/1904-6-0x0000000000000000-mapping.dmp
-
memory/1916-15-0x0000000000000000-mapping.dmp
-
memory/2024-18-0x0000000000000000-mapping.dmp
-
memory/5252-32-0x0000000000000000-mapping.dmp