Analysis
-
max time kernel
152s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
Resource
win10v20201028
General
-
Target
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
-
Size
94KB
-
MD5
339da8fcce98e2165a73e2f22e42b4ff
-
SHA1
e06ae91d935d95db3cffaf168836b875cea541bf
-
SHA256
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3
-
SHA512
bc61737e3f2c547a193665106a482e4573e593551b27b3a6cdad6a3f8215146d71a90ecb763cac916dfbb55e9c5f5aa01c9887293fd5f2e14a795c26ccfbb2b3
Malware Config
Extracted
C:\A746E-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\Favorites\MSN Websites\A746E-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\AppData\Roaming\A746E-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1756-1-0x0000000000160000-0x000000000017B000-memory.dmp netwalker_ransomware behavioral1/memory/1824-3-0x0000000000210000-0x000000000022B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DebugTest.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1824 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a746ee3d = "C:\\Program Files (x86)\\a746ee3d\\a746ee3d.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exedescription pid process target process PID 1756 set thread context of 1824 1756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 1824 set thread context of 2012 1824 explorer.exe explorer.exe -
Drops file in Program Files directory 7414 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\A746E-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY2.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\London explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01157_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belem explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.LEX explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151581.WMF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Chita explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50B.GIF explorer.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UDT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPIR.DLL.IDX_DLL explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01058_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Classic.dotx explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml explorer.exe File created C:\Program Files\Java\jre7\lib\zi\Atlantic\A746E-Readme.txt explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1172 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 17857 IoCs
Processes:
explorer.exeexplorer.exepid process 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 1824 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exepid process 1756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe 1824 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2012 explorer.exe Token: SeBackupPrivilege 1984 vssvc.exe Token: SeRestorePrivilege 1984 vssvc.exe Token: SeAuditPrivilege 1984 vssvc.exe Token: SeDebugPrivilege 1824 explorer.exe Token: SeImpersonatePrivilege 1824 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exeexplorer.exedescription pid process target process PID 1756 wrote to memory of 1824 1756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 1756 wrote to memory of 1824 1756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 1756 wrote to memory of 1824 1756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 1756 wrote to memory of 1824 1756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe explorer.exe PID 1824 wrote to memory of 2012 1824 explorer.exe explorer.exe PID 1824 wrote to memory of 2012 1824 explorer.exe explorer.exe PID 1824 wrote to memory of 2012 1824 explorer.exe explorer.exe PID 1824 wrote to memory of 2012 1824 explorer.exe explorer.exe PID 2012 wrote to memory of 1172 2012 explorer.exe vssadmin.exe PID 2012 wrote to memory of 1172 2012 explorer.exe vssadmin.exe PID 2012 wrote to memory of 1172 2012 explorer.exe vssadmin.exe PID 2012 wrote to memory of 1172 2012 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe"C:\Users\Admin\AppData\Local\Temp\98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-4-0x0000000000000000-mapping.dmp
-
memory/1756-1-0x0000000000160000-0x000000000017B000-memory.dmpFilesize
108KB
-
memory/1824-0-0x0000000000000000-mapping.dmp
-
memory/1824-3-0x0000000000210000-0x000000000022B000-memory.dmpFilesize
108KB
-
memory/2012-2-0x0000000000000000-mapping.dmp