Analysis
-
max time kernel
152s -
max time network
14s -
platform
windows7_x64 -
resource
win7 -
submitted
26-10-2020 08:05
General
-
Target
skyfall_user wilsonk_wilsonk_ste.txt.ps1
-
Size
903KB
-
MD5
819c083652fb851efcd0454ae9ecae14
-
SHA1
c440ab6e70fc6d2dff7f7b3478b03a99672d062f
-
SHA256
1a387a66d0ae9f0aabeb33f46856fcd8d7621d210d87494f696b831f94537f1b
-
SHA512
3caee374a5ef95453c785afe148d8ec54eaf1136306163c4c9e4352e8a410f05d7759d02ff689298333cfe5b57bc1464a935a9cece336bc328d5edf99cd0bb51
Malware Config
Extracted
C:\E352FC-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\E352FC-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
-
Drops file in Program Files directory 7473 IoCs
-
Suspicious behavior: EnumeratesProcesses 13641 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\skyfall_user wilsonk_wilsonk_ste.txt.ps1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i5xecy2w\i5xecy2w.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3063.tmp" "c:\Users\Admin\AppData\Local\Temp\i5xecy2w\CSCD7CB6F0ECADE44278EA68F6C361FA627.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hc0begsd\hc0begsd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES366C.tmp" "c:\Users\Admin\AppData\Local\Temp\hc0begsd\CSCDA1FBF0786824466B020A9545574A81B.TMP"4⤵
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\E352FC-Readme.txt"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES3063.tmpMD5
0af9216aa6f8f67189082d3158a3261b
SHA14875c14450ce000034981ae387ad35d903129d08
SHA256ed892782c0e6db79999eb8c0d602e4d8f3749a58c663493722f723a555a68e74
SHA51228bc41a427a2c67aa7dbfb8b9b3d5eda2907ec0041a7416769d6f1a4f832b802bf8bf6836c3e7bca98dab2fe9fe5f547e452f26c84ac471c97134eabaeddbeee
-
C:\Users\Admin\AppData\Local\Temp\RES366C.tmpMD5
7aa372100530504822d7091fe43cc2d1
SHA103e159167d0afd5f12ae05aa24deae459a06ba7b
SHA256e1f8a1349ec67789d24afb1bfae1de14bd97bc08199e85efc326e1ea1bca3557
SHA512fb2e5e350fc10b3b1a1371552d32bf1918fc2b3138bb110701f4cf43c8627ce27999e82faae7cf91af493712da5b65b26a0fbda848e480467d350500470afeb3
-
C:\Users\Admin\AppData\Local\Temp\hc0begsd\hc0begsd.dllMD5
5f042f4543204b2cd3d10f0cd3336cb1
SHA1749a62dcfd251ad0008049d1f648f5d39dd9263e
SHA2564b82e0dc7f459323582b1828a99a714c6831732123f3f95c6c18bda059d0aed8
SHA512c1666a8e94dca7b7da820a8757023045f5888652cdc7034f52eebd7f0bc519989f1b0497f3933f275ced053253a9348c390c661840e7e2d1072929940a9d2484
-
C:\Users\Admin\AppData\Local\Temp\i5xecy2w\i5xecy2w.dllMD5
0134ed54c60532698088ba6af3ffa8ff
SHA1799ee8d4744e11cce140797e90fceaf60c51594c
SHA256cf769a49e2ce427d9d0ecb222023bfb7f3ae54229ff1005c1d8114bc5e0ab59b
SHA5127bc689cbf28f1dc409593b0a6339a9518b1d8fe4cd58b12034e7932fe516991e2f23b62c16c4d4023cfe20fb48a8127a36f25f1f6570a6f9250a02c056551ddd
-
C:\Users\Admin\Desktop\E352FC-Readme.txtMD5
33400a93a045402135c10c763a8be713
SHA1d2f0637ae0f89d8d69c562feda49dd24f86aa0fd
SHA256b895e4c58e9b39461ebaf41234579d9eb01400d51d4ccb685b2e26e7e1c698c4
SHA512eb63901fe7495a857ee505080381700de827240b899e3687092b8b48e126679926ade7e89ae8d07ff1a0353c2be6429ad28ffa672d7ddccb4fb8b23ee8f09ebd
-
\??\c:\Users\Admin\AppData\Local\Temp\hc0begsd\CSCDA1FBF0786824466B020A9545574A81B.TMPMD5
655f271b24038700118ccdf6feaee18e
SHA14bdf115d6bedeec63894827fdb6f22ec6e7738a2
SHA256c5869389fbb9c175c4aec031b551f2f43b1bfb43d238556a8e4a1d6bcddcae03
SHA512c15c540ce50bd296e3a41e803b5fb8676854155539b1f9ca82e95e67d923e130a07e41b3c018e60e222084e03ee6c2f86b6439382871eeca4fd4616860becb0b
-
\??\c:\Users\Admin\AppData\Local\Temp\hc0begsd\hc0begsd.0.csMD5
9c660f9090f1af99c41e8c233fad505a
SHA19d8bfb8f1118477e78d020d2afd32875ea68f898
SHA25677a4cfc93d8aebcd9ef51542d336761f9480df1ccbdc3441c4d4ad4b1e671051
SHA5127f9ec2cc4953c2a1d4c289e47a9619497c0d84c87701054da869493a6bc61b26468576d044ac1d383502cdaea364fdc40415d881beb2e34b319cec19c721a360
-
\??\c:\Users\Admin\AppData\Local\Temp\hc0begsd\hc0begsd.cmdlineMD5
a25ec24eedb3e40364e652dda5c66494
SHA1aa9fddcebb1935c58cc92d60e8785ed63b1f06e9
SHA25628d86b96f28f4503d69c34978f4ef0bfbf77ebc3ad6783547582a683564dfe17
SHA512ba92cf3cab044488fd47fbad35870a13dccba0f0d0ffc48b5b2de6f1a0f9d44c05432282543cb71d80a8ae01d125e09bfeca4e5c1f96361516084b612df663ce
-
\??\c:\Users\Admin\AppData\Local\Temp\i5xecy2w\CSCD7CB6F0ECADE44278EA68F6C361FA627.TMPMD5
94fefe4b24459b46f1d62c40509b5984
SHA1d2201e44b97acfbd2095a8a0f296ac5f2b68be7c
SHA2568a4105537ea306058e5b9f3fa6718ecac1211541767462704b2e7eea4d8e19af
SHA512db6c273e1dffc14d132b894b7a9f860f12bc2678d81b45288e7b8985174bc1d549389fbc508db5ecc66e9ee828df3beadeee337854e9c9b05fe0ee08de62a486
-
\??\c:\Users\Admin\AppData\Local\Temp\i5xecy2w\i5xecy2w.0.csMD5
79349a963ce9941dd07c2edaa0f9d7aa
SHA19d3a3d9e9b9711dcb992cfbc580640e4ebe24a20
SHA256b105386d21df7c708c2004acf984e928a7f2ed577f64bbec10ef7ca644dac484
SHA512a7cf356b78d83544f3e539bc81f7392d7ac05ab6e4c4e18a3ba05bfe827a7ee991d8f40e658edb3db02d2876335b5f7d5ca0896debdaaa62b094872f4caeb59c
-
\??\c:\Users\Admin\AppData\Local\Temp\i5xecy2w\i5xecy2w.cmdlineMD5
68b874ceeb521100ef557eee4f26b891
SHA1715d1edab2cae20c6db72e308a50edce163499f9
SHA256142ae82f8ee26417a40c2fcaf63a885c9b169740e038d601ffb4947862791c98
SHA5122463c1fcc29d2a150cfc242de51fda98a56eafe277d7e44b94136c8542c41c965933e9b15d01c31d57c40daad6400e8569db2e63d7a8e0e2de8866cca35b27e4
-
memory/288-25-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/288-13-0x00000000024A0000-0x00000000024A2000-memory.dmpFilesize
8KB
-
memory/288-22-0x0000000002740000-0x0000000002742000-memory.dmpFilesize
8KB
-
memory/288-14-0x000000001C550000-0x000000001C551000-memory.dmpFilesize
4KB
-
memory/288-2-0x000000001AAE0000-0x000000001AAE1000-memory.dmpFilesize
4KB
-
memory/288-29-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/288-5-0x000000001BAC0000-0x000000001BAC1000-memory.dmpFilesize
4KB
-
memory/288-28-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/288-23-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/288-3-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/288-1-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/288-0-0x000007FEF5E20000-0x000007FEF680C000-memory.dmpFilesize
9.9MB
-
memory/288-4-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/288-24-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/288-27-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/288-26-0x000000001A9E0000-0x000000001AA02000-memory.dmpFilesize
136KB
-
memory/756-15-0x0000000000000000-mapping.dmp
-
memory/792-18-0x0000000000000000-mapping.dmp
-
memory/1208-6-0x0000000000000000-mapping.dmp
-
memory/1212-31-0x0000000002C10000-0x0000000002C32000-memory.dmpFilesize
136KB
-
memory/1536-9-0x0000000000000000-mapping.dmp
-
memory/5696-32-0x0000000000000000-mapping.dmp