Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe
Resource
win10v20201028
General
-
Target
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe
-
Size
91KB
-
MD5
d635879fae28746375728409e6a14686
-
SHA1
43eb0865681420e821fbc6acf6c5b0a377e55c72
-
SHA256
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a
-
SHA512
1c13e85c9295f7b2dfcc9ca3a301baea0b908760958c95863043620262946f6b905f2adf8183fab568feb886003d4f6d46f28262c92ce79038d7d3b49f04b307
Malware Config
Extracted
C:\Recovery\WindowsRE\32E2B-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\32E2B-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files\Java\jre1.8.0_66\32E2B-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files\Microsoft Office\root\Office16\32E2B-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\32E2B-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/648-1-0x0000000000F50000-0x0000000000F6B000-memory.dmp netwalker_ransomware behavioral2/memory/1016-3-0x0000000002D20000-0x0000000002D3B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1016 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32e2bad3 = "C:\\Program Files (x86)\\32e2bad3\\32e2bad3.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exedescription pid process target process PID 648 set thread context of 1016 648 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe -
Drops file in Program Files directory 14152 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsBadgeLogo.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-200.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg explorer.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\12d.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\thinking.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\ui-strings.js explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nr_60x42.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrome.7z explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-execution.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-200.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cv_60x42.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_24x24x32.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GameEnd\gameEnd_strip.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_24x24x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_selected_18.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bj_16x11.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\649_20x20x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.scale-100.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-48.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Sounds\Link_Contact.wav explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Dark.scale-180.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\160.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.scale-125.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Toolkit\Images\DefaultProfileImage.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\EmbossText.scale-140.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.wink.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\v8_context_snapshot.bin explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\32E2B-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-gb\DemoNotebook.onepkg explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tc_16x11.png explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3112 vssadmin.exe 416 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 40852 IoCs
Processes:
explorer.exeexplorer.exepid process 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 1016 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe 3668 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exeexplorer.exepid process 648 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe 1016 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 1016 explorer.exe Token: SeDebugPrivilege 3668 explorer.exe Token: SeBackupPrivilege 188 vssvc.exe Token: SeRestorePrivilege 188 vssvc.exe Token: SeAuditPrivilege 188 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exeexplorer.exeexplorer.exedescription pid process target process PID 648 wrote to memory of 1016 648 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 648 wrote to memory of 1016 648 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 648 wrote to memory of 1016 648 6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe explorer.exe PID 1016 wrote to memory of 3112 1016 explorer.exe vssadmin.exe PID 1016 wrote to memory of 3112 1016 explorer.exe vssadmin.exe PID 1016 wrote to memory of 3668 1016 explorer.exe explorer.exe PID 1016 wrote to memory of 3668 1016 explorer.exe explorer.exe PID 1016 wrote to memory of 3668 1016 explorer.exe explorer.exe PID 3668 wrote to memory of 416 3668 explorer.exe vssadmin.exe PID 3668 wrote to memory of 416 3668 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe"C:\Users\Admin\AppData\Local\Temp\6f89cfef50cadb9e7e986ec913eb8c68bb14af5c576fe98dbe41060edf3cfe8a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/416-5-0x0000000000000000-mapping.dmp
-
memory/648-1-0x0000000000F50000-0x0000000000F6B000-memory.dmpFilesize
108KB
-
memory/1016-0-0x0000000000000000-mapping.dmp
-
memory/1016-3-0x0000000002D20000-0x0000000002D3B000-memory.dmpFilesize
108KB
-
memory/3112-2-0x0000000000000000-mapping.dmp
-
memory/3668-4-0x0000000000000000-mapping.dmp