Analysis
-
max time kernel
132s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe
Resource
win10v20201028
General
-
Target
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe
-
Size
91KB
-
MD5
d635879fae28746375728409e6a14686
-
SHA1
43eb0865681420e821fbc6acf6c5b0a377e55c72
-
SHA256
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a
-
SHA512
1c13e85c9295f7b2dfcc9ca3a301baea0b908760958c95863043620262946f6b905f2adf8183fab568feb886003d4f6d46f28262c92ce79038d7d3b49f04b307
Malware Config
Extracted
C:\06791-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\06791-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1668-1-0x0000000000080000-0x000000000009B000-memory.dmp netwalker_ransomware behavioral1/memory/1496-4-0x00000000001C0000-0x00000000001DB000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1496 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06791532 = "C:\\Program Files (x86)\\06791532\\06791532.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exeexplorer.exedescription pid process target process PID 1668 set thread context of 1496 1668 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 1496 set thread context of 1420 1496 explorer.exe explorer.exe -
Drops file in Program Files directory 7479 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107264.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0088542.WMF explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Invite or Link.one explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\view.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AIR98.POC explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2B.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\STUBBY1.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\06791-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297707.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_F_COL.HXK explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233665.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague explorer.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1976 vssadmin.exe 1780 vssadmin.exe 3768 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 16895 IoCs
Processes:
explorer.exeexplorer.exepid process 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe 1420 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exeexplorer.exepid process 1668 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe 1496 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 1496 explorer.exe Token: SeDebugPrivilege 1420 explorer.exe Token: SeBackupPrivilege 1996 vssvc.exe Token: SeRestorePrivilege 1996 vssvc.exe Token: SeAuditPrivilege 1996 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exeexplorer.exeexplorer.exedescription pid process target process PID 1668 wrote to memory of 1496 1668 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 1668 wrote to memory of 1496 1668 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 1668 wrote to memory of 1496 1668 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 1668 wrote to memory of 1496 1668 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 1496 wrote to memory of 1976 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 1976 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 1976 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 1976 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 1420 1496 explorer.exe explorer.exe PID 1496 wrote to memory of 1420 1496 explorer.exe explorer.exe PID 1496 wrote to memory of 1420 1496 explorer.exe explorer.exe PID 1496 wrote to memory of 1420 1496 explorer.exe explorer.exe PID 1420 wrote to memory of 1780 1420 explorer.exe vssadmin.exe PID 1420 wrote to memory of 1780 1420 explorer.exe vssadmin.exe PID 1420 wrote to memory of 1780 1420 explorer.exe vssadmin.exe PID 1420 wrote to memory of 1780 1420 explorer.exe vssadmin.exe PID 1496 wrote to memory of 3144 1496 explorer.exe notepad.exe PID 1496 wrote to memory of 3144 1496 explorer.exe notepad.exe PID 1496 wrote to memory of 3144 1496 explorer.exe notepad.exe PID 1496 wrote to memory of 3144 1496 explorer.exe notepad.exe PID 1496 wrote to memory of 3768 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 3768 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 3768 1496 explorer.exe vssadmin.exe PID 1496 wrote to memory of 3768 1496 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe"C:\Users\Admin\AppData\Local\Temp\6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\06791-Readme.txt3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\06791-Readme.txtMD5
41e0b80bb519a473c3511d75370eb7bf
SHA127829fd3d6c12febb14fda804a696f1fe5fd538f
SHA25617d01900aab9a4e784ff8b31209d39dfc8ae2393fbfafc5b49f80b8cc5e9c4bf
SHA512148ae8a31acc8e5dd0deca664810e79cc261d9b80e27123ae61f0c91ed1662a2d317244a6bfbf23b1e307797e0c25ce53fbc678ba6f93f1a79e81529a569aeda
-
memory/1420-3-0x0000000000000000-mapping.dmp
-
memory/1496-0-0x0000000000000000-mapping.dmp
-
memory/1496-4-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1668-1-0x0000000000080000-0x000000000009B000-memory.dmpFilesize
108KB
-
memory/1780-5-0x0000000000000000-mapping.dmp
-
memory/1976-2-0x0000000000000000-mapping.dmp
-
memory/3144-6-0x0000000000000000-mapping.dmp
-
memory/3768-7-0x0000000000000000-mapping.dmp