Overview

overview

10

Static

static

b587d049e9...f2.exe

windows7_x64

10

b587d049e9...f2.exe

windows10_x64

10

Analysis

  • max time kernel
    84s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe

  • Size

    148KB

  • MD5

    291e1ce9cd3ea77fb64937d3212e8ef6

  • SHA1

    68fd5b77f7e6824545664a620a62de630948e4b0

  • SHA256

    b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2

  • SHA512

    a63ef33ee1fa00e0bf9e395a9f3ed8793b1dcc1b90a1bf5e7d8dcae5e9fb28cb28eaf0c658883d66566a0eef6986e7377147ed26310d2e3e79d71e223cae1633

Score
10/10
netwalkerpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Public\Libraries\375DC-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\375DC-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\375DC-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\375DC-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\375DC-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .375dc -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_a35f346f_375dc: 101LMbm/7R/MviPyx+GD0/P0RdJv4gCqDmGn5WkD2zx0fFkOPz /BJt1Wg0GIRW/JdomFBMMYR2b7Z3lGM61uNSyQolsPL318bzRf o+uHa8/u0fpt0CVkQQCahQYF0LS9vdU8d9PYoYvkbnd4hrNvZa +Kk8wtNUscRFfjRP6mTXkmw9PuyQR5+q8uP9R3PaEdg8UjJPLd 76aUqnNY/98DiOcLWWKlM8cjbroD1B+dejBELaS8muUJmUWBr3 nfHhinSnXnz2tGp4bSBfcd9HGoF8v9PCo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in Program Files directory 17176 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3042 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe
    "C:\Users\Admin\AppData\Local\Temp\b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\375DC-Readme.txt"
      2⤵
        PID:6692
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:4880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7540.tmp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:6108
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3968
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /im "b587d049e9fae11f4fe70d5f6c9007f99483f683ee55217110094206bd6a92f2.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:9308
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:8120

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7540.tmp.bat
      MD5

      b58d61ac5cbb4c6be9037fc8d97c534a

      SHA1

      d6d1f82614055c1d23744149784683a11ba8570a

      SHA256

      b0679ca882b3d3474f82cf52cd236339aa826e044866c93bf8fc3ee658864af1

      SHA512

      4a536494166b716ca84cc76c0e19426d3dd1af37945c99f2652853e9525e5a933b30e8eaf83f294fa5731665ac0416652a8cdbdd0bfd31f2a2440cac9f11c0ec

      Download Submit
    • C:\Users\Admin\Desktop\375DC-Readme.txt
      MD5

      30ddc781c1c9810366be899b8b001f13

      SHA1

      e3c06e7603ad9a57ca9fc3bdaf64f2fc7e3b7b09

      SHA256

      6b5fac17a9b17357335ee8d0efd26380675bb1f65df72f48c4719b9bfc0d8dc1

      SHA512

      49f9d5707a507293ba120c7a93b603bb612df127743dcc9c630678ec39cc26c8762e727e80693b6f5646574a9f95a3af5dbf311936f05ac65809f9755f52ab17

      Download Submit
    • memory/3968-4-0x0000000000000000-mapping.dmp
      Download
    • memory/4880-1-0x0000000000000000-mapping.dmp
      Download
    • memory/6108-2-0x0000000000000000-mapping.dmp
      Download
    • memory/6692-0-0x0000000000000000-mapping.dmp
      Download
    • memory/9308-6-0x0000000000000000-mapping.dmp
      Download