Overview

overview

10

Static

static

b587d049e9...f2.exe

windows7_x64

10

b587d049e9...f2.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe

  • Size

    148KB

  • MD5

    291e1ce9cd3ea77fb64937d3212e8ef6

  • SHA1

    68fd5b77f7e6824545664a620a62de630948e4b0

  • SHA256

    b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2

  • SHA512

    a63ef33ee1fa00e0bf9e395a9f3ed8793b1dcc1b90a1bf5e7d8dcae5e9fb28cb28eaf0c658883d66566a0eef6986e7377147ed26310d2e3e79d71e223cae1633

Score
10/10
netwalkerpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\C6AD3-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .c6ad3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_c6ad3: GCYqWbouzflxtQSMfk/HQ6xBM7T9nFLWUbGg1fTuulcEDS+eC5 VwHVzaniPys28rTjqll5hNM6swFb67PGi8boYukW6+ClcObzRf o0JgsFbabqA8slHiKOXtS+ay3UK4+C3HcPl440axTKFR7ZJA49 DdBW1a8CDmcVJJjgsjFsjmIzBfQsIt0PbYIHrvcRL3gq6tG6lg gU5VZBRixBAKJPylnUzp0DmKtJogx3NdNcis4if4pyL1n9xK5z 28IvpeOhBB80Mb0f0Bn9tUImTGCbStwac=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files\VideoLAN\VLC\lua\http\js\C6AD3-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .c6ad3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_c6ad3: GCYqWbouzflxtQSMfk/HQ6xBM7T9nFLWUbGg1fTuulcEDS+eC5 VwHVzaniPys28rTjqll5hNM6swFb67PGi8boYukW6+ClcObzRf o0JgsFbabqA8slHiKOXtS+ay3UK4+C3HcPl440axTKFR7ZJA49 DdBW1a8CDmcVJJjgsjFsjmIzBfQsIt0PbYIHrvcRL3gq6tG6lg gU5VZBRixBAKJPylnUzp0DmKtJogx3NdNcis4if4pyL1n9xK5z 28IvpeOhBB80Mb0f0Bn9tUImTGCbStwac=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .c6ad3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_c6ad3: GCYqWbouzflxtQSMfk/HQ6xBM7T9nFLWUbGg1fTuulcEDS+eC5 VwHVzaniPys28rTjqll5hNM6swFb67PGi8boYukW6+ClcObzRf o0JgsFbabqA8slHiKOXtS+ay3UK4+C3HcPl440axTKFR7ZJA49 DdBW1a8CDmcVJJjgsjFsjmIzBfQsIt0PbYIHrvcRL3gq6tG6lg gU5VZBRixBAKJPylnUzp0DmKtJogx3NdNcis4if4pyL1n9xK5z 28IvpeOhBB80Mb0f0Bn9tUImTGCbStwac=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Templates\1033\C6AD3-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .c6ad3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_c6ad3: GCYqWbouzflxtQSMfk/HQ6xBM7T9nFLWUbGg1fTuulcEDS+eC5 VwHVzaniPys28rTjqll5hNM6swFb67PGi8boYukW6+ClcObzRf o0JgsFbabqA8slHiKOXtS+ay3UK4+C3HcPl440axTKFR7ZJA49 DdBW1a8CDmcVJJjgsjFsjmIzBfQsIt0PbYIHrvcRL3gq6tG6lg gU5VZBRixBAKJPylnUzp0DmKtJogx3NdNcis4if4pyL1n9xK5z 28IvpeOhBB80Mb0f0Bn9tUImTGCbStwac=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .c6ad3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_c6ad3: GCYqWbouzflxtQSMfk/HQ6xBM7T9nFLWUbGg1fTuulcEDS+eC5 VwHVzaniPys28rTjqll5hNM6swFb67PGi8boYukW6+ClcObzRf o0JgsFbabqA8slHiKOXtS+ay3UK4+C3HcPl440axTKFR7ZJA49 DdBW1a8CDmcVJJjgsjFsjmIzBfQsIt0PbYIHrvcRL3gq6tG6lg gU5VZBRixBAKJPylnUzp0DmKtJogx3NdNcis4if4pyL1n9xK5z 28IvpeOhBB80Mb0f0Bn9tUImTGCbStwac=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .c6ad3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_c6ad3: GCYqWbouzflxtQSMfk/HQ6xBM7T9nFLWUbGg1fTuulcEDS+eC5 VwHVzaniPys28rTjqll5hNM6swFb67PGi8boYukW6+ClcObzRf o0JgsFbabqA8slHiKOXtS+ay3UK4+C3HcPl440axTKFR7ZJA49 DdBW1a8CDmcVJJjgsjFsjmIzBfQsIt0PbYIHrvcRL3gq6tG6lg gU5VZBRixBAKJPylnUzp0DmKtJogx3NdNcis4if4pyL1n9xK5z 28IvpeOhBB80Mb0f0Bn9tUImTGCbStwac=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 7478 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 216 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
    "C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\C6AD3-Readme.txt"
      2⤵
        PID:4508
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:4920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\F547.tmp.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3284
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4196
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\F547.tmp.bat
      MD5

      b58d61ac5cbb4c6be9037fc8d97c534a

      SHA1

      d6d1f82614055c1d23744149784683a11ba8570a

      SHA256

      b0679ca882b3d3474f82cf52cd236339aa826e044866c93bf8fc3ee658864af1

      SHA512

      4a536494166b716ca84cc76c0e19426d3dd1af37945c99f2652853e9525e5a933b30e8eaf83f294fa5731665ac0416652a8cdbdd0bfd31f2a2440cac9f11c0ec

      Download Submit
    • C:\Users\Admin\Desktop\C6AD3-Readme.txt
      MD5

      0c2a873601d7998e662cd0488591623c

      SHA1

      82f2104bb9e26480dac7bb719121f6fda30cb4ab

      SHA256

      859d0d7891e690529ae9384c8f0944f762c7c6f10517b1c0eebd13cb8096c20f

      SHA512

      48cde32f87653079cda88c227a700d0b28a448dd39746579ff99ddc97fd36a2d2a82a3109b33338a6319ef331f67b102cc1607f6fcf6f348f5c7af125b76e452

      Download Submit
    • memory/3284-14-0x0000000000000000-mapping.dmp
      Download
    • memory/4188-9-0x0000000000000000-mapping.dmp
      Download
    • memory/4196-15-0x0000000000000000-mapping.dmp
      Download
    • memory/4508-3-0x0000000000000000-mapping.dmp
      Download
    • memory/4920-6-0x0000000000000000-mapping.dmp
      Download