netwalker | 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3

General

Target

98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
Size

94KB
MD5

339da8fcce98e2165a73e2f22e42b4ff
SHA1

e06ae91d935d95db3cffaf168836b875cea541bf
SHA256

98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3
SHA512

bc61737e3f2c547a193665106a482e4573e593551b27b3a6cdad6a3f8215146d71a90ecb763cac916dfbb55e9c5f5aa01c9887293fd5f2e14a795c26ccfbb2b3

Score

10^/10

netwalker persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Public\Libraries\1B68F-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}

Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\ProgramData\Microsoft\Windows Security Health\Logs\1B68F-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}

Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Users\Admin\Music\1B68F-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}

Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\1B68F-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}

Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\1B68F-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}

Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\1B68F-Readme.txt

Family

netwalker

Ransom Note

Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .1b68f -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_62a85da8_1b68f: BlNn2pg3Pk9JVvjnKQHHoWOWWq30cHjJwKncgA5DUEWI/9hrHo FXGo4BlajtBPrNbg0BOnN0+GxMGe8tjxq6uFzmf4wOUiBjqF2o YvTd0r+iTf5KpTCL2LqI3TU5gZR+mFFQ91xxmOot6uSJLS0QqS UU5RrC/fAr0FfaSvsryIeBro6l2A5pIwoRVxxIhxpEDODqTRKh lx2DiXTVKXh3XsK17nQ532MAJ3U3oin2ucbZur91AdVAUkxWr5 G/FPuhsWk31HGbV7HRjuaXqRYZlHiGfFc=}

Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Signatures

Detected Netwalker Ransomware 2 IoCs

Detected unpacked Netwalker executable.

Processes:

resource	yara_rule
behavioral2/memory/4756-1-0x0000000001380000-0x000000000139B000-memory.dmp	netwalker_ransomware
behavioral2/memory/368-2-0x0000000003700000-0x000000000371B000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ExportConvertTo.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectStart.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\ImportConvertTo.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\FindMove.tiff	explorer.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

368 explorer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1b68f3c6 = "C:\\Program Files (x86)\\1b68f3c6\\1b68f3c6.exe"	explorer.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe

description	pid	process	target process
PID 4756 set thread context of 368	4756	98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe	explorer.exe

Drops file in Program Files directory 17189 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr.gif	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_cancel_18.svg	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\156.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.wink.small.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-100.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Extreme_Altitude_Unearned_small.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\cardback.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-black_scale-125.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\NewScene.scale-180.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-150_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-150.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fk_16x11.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas12oz_512x512_nm.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-96.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\1B68F-Readme.txt	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\1B68F-Readme.txt	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\1B68F-Readme.txt	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.winmd	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\green_button.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\DeselectAll.scale-140.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\retry_icon.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5313_32x32x32.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_18.svg	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms	explorer.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4260 vssadmin.exe
8376 vssadmin.exe

pid	process
4260	vssadmin.exe
8376	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 23522 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
368	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exe

pid process

4756 98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
368 explorer.exe

pid	process
4756	98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
368	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2812	explorer.exe
Token: SeBackupPrivilege	3868	vssvc.exe
Token: SeRestorePrivilege	3868	vssvc.exe
Token: SeAuditPrivilege	3868	vssvc.exe
Token: SeDebugPrivilege	368	explorer.exe
Token: SeImpersonatePrivilege	368	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4756 wrote to memory of 368	4756	98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe	explorer.exe
PID 4756 wrote to memory of 368	4756	98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe	explorer.exe
PID 4756 wrote to memory of 368	4756	98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe	explorer.exe
PID 368 wrote to memory of 2812	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2812	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 2812	368	explorer.exe	explorer.exe
PID 2812 wrote to memory of 4260	2812	explorer.exe	vssadmin.exe
PID 2812 wrote to memory of 4260	2812	explorer.exe	vssadmin.exe
PID 368 wrote to memory of 7164	368	explorer.exe	notepad.exe
PID 368 wrote to memory of 7164	368	explorer.exe	notepad.exe
PID 368 wrote to memory of 7164	368	explorer.exe	notepad.exe
PID 368 wrote to memory of 8376	368	explorer.exe	vssadmin.exe
PID 368 wrote to memory of 8376	368	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe
"C:\Users\Admin\AppData\Local\Temp\98cf38865117a3e333df1fb0a538b97f66fea568746fefb697e76ca8c686a3e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4260

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1B68F-Readme.txt"
3⤵
PID:7164

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:8376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3868

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\1B68F-Readme.txt
MD5
e051bcffb4d45e7480325f6dcef381be

SHA1
6398ee544a7a60c9e2ac4197b4d78712f226b5b6

SHA256
a32e8b304d968c767023eba5712a554af7b429d360419453100ff69ba813103a

SHA512
fabc29ccccb39e22311d2f33ccc67c6754ff1a0d3bab25929cc30481c395c50816988c6ced1b44d9d17870a190f91632628a759e7d56e499fbdafb4ee7212e93

Download Submit
memory/368-0-0x0000000000000000-mapping.dmp

Download
memory/368-2-0x0000000003700000-0x000000000371B000-memory.dmp

Filesize
108KB

Download
memory/2812-3-0x0000000000000000-mapping.dmp

Download
memory/4260-4-0x0000000000000000-mapping.dmp

Download
memory/4756-1-0x0000000001380000-0x000000000139B000-memory.dmp

Filesize
108KB

Download
memory/7164-6-0x0000000000000000-mapping.dmp

Download
memory/8376-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads