Analysis
-
max time kernel
151s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe
Resource
win10v20201028
General
-
Target
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe
-
Size
91KB
-
MD5
5f6f945167ac81d4bd0e07705f4231c5
-
SHA1
6bbaf2c8ec7aa99247250ed6f55bff7719d75803
-
SHA256
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7
-
SHA512
3b02cc77495263e96e550bdc9dc0bb56c0f9c2f4d639b65899f08d085a23437d80c20807fe27f719c91ed0bacc7763d113cef9767683cb15b485e25e297c87aa
Malware Config
Extracted
C:\ProgramData\Microsoft\MF\21743-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\21743-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1756-1-0x0000000000230000-0x000000000024B000-memory.dmp netwalker_ransomware behavioral1/memory/1508-4-0x00000000001F0000-0x000000000020B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1508 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2174317f = "C:\\Program Files (x86)\\2174317f\\2174317f.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exeexplorer.exedescription pid process target process PID 1756 set thread context of 1508 1756 07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe explorer.exe PID 1508 set thread context of 2036 1508 explorer.exe explorer.exe -
Drops file in Program Files directory 7479 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7ge.kic explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\21743-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMASTHD.DPV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\21743-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103812.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152570.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\21743-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\21743-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARDHM.POC explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\21743-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml explorer.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_2.jtp explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05870_.WMF explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\CST6CDT explorer.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\21743-Readme.txt explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\21743-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF explorer.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\21743-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00784_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02388_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1168 vssadmin.exe 1312 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 20162 IoCs
Processes:
explorer.exeexplorer.exepid process 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exeexplorer.exepid process 1756 07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe 1508 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1508 explorer.exe Token: SeBackupPrivilege 1724 vssvc.exe Token: SeRestorePrivilege 1724 vssvc.exe Token: SeAuditPrivilege 1724 vssvc.exe Token: SeDebugPrivilege 2036 explorer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exeexplorer.exeexplorer.exedescription pid process target process PID 1756 wrote to memory of 1508 1756 07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe explorer.exe PID 1756 wrote to memory of 1508 1756 07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe explorer.exe PID 1756 wrote to memory of 1508 1756 07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe explorer.exe PID 1756 wrote to memory of 1508 1756 07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe explorer.exe PID 1508 wrote to memory of 1168 1508 explorer.exe vssadmin.exe PID 1508 wrote to memory of 1168 1508 explorer.exe vssadmin.exe PID 1508 wrote to memory of 1168 1508 explorer.exe vssadmin.exe PID 1508 wrote to memory of 1168 1508 explorer.exe vssadmin.exe PID 1508 wrote to memory of 2036 1508 explorer.exe explorer.exe PID 1508 wrote to memory of 2036 1508 explorer.exe explorer.exe PID 1508 wrote to memory of 2036 1508 explorer.exe explorer.exe PID 1508 wrote to memory of 2036 1508 explorer.exe explorer.exe PID 2036 wrote to memory of 1312 2036 explorer.exe vssadmin.exe PID 2036 wrote to memory of 1312 2036 explorer.exe vssadmin.exe PID 2036 wrote to memory of 1312 2036 explorer.exe vssadmin.exe PID 2036 wrote to memory of 1312 2036 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe"C:\Users\Admin\AppData\Local\Temp\07b743dffd93be79b3ae4e8d5e0f05aec66af1115c4ec070df4cd35e800452d7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1168-2-0x0000000000000000-mapping.dmp
-
memory/1312-5-0x0000000000000000-mapping.dmp
-
memory/1508-0-0x0000000000000000-mapping.dmp
-
memory/1508-4-0x00000000001F0000-0x000000000020B000-memory.dmpFilesize
108KB
-
memory/1756-1-0x0000000000230000-0x000000000024B000-memory.dmpFilesize
108KB
-
memory/2036-3-0x0000000000000000-mapping.dmp