Analysis
-
max time kernel
159s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe
Resource
win10v20201028
General
-
Target
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe
-
Size
94KB
-
MD5
da4ae503d72a89e54701da53c7ccfdb7
-
SHA1
7aac6048c4c98dd4130295f0b9ccc2015c7c9a49
-
SHA256
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65
-
SHA512
ebfc7f613e95f845d09d00d4ee48230f386a458569c76a0596c1c00a7d5b710045a304cd34ff91487d51a37fbe20b5d9db92479823cbfdec401b65ed4cb13e02
Malware Config
Extracted
C:\ProgramData\Microsoft\User Account Pictures\B8C85-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1684-1-0x00000000000E0000-0x00000000000FB000-memory.dmp netwalker_ransomware behavioral1/memory/1028-3-0x0000000000270000-0x000000000028B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1028 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b8c85573 = "C:\\Program Files (x86)\\b8c85573\\b8c85573.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exeexplorer.exedescription pid process target process PID 1684 set thread context of 1028 1684 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 1028 set thread context of 1216 1028 explorer.exe explorer.exe -
Drops file in Program Files directory 3972 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageStyle.css explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeFax.Dotx explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_email.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149887.WMF explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU explorer.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14580_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Maputo explorer.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXC explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana.css explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CLICK.WAV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Events.accdt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Concourse.eftx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Generic.css explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\B8C85-Readme.txt explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\B8C85-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2004 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 20438 IoCs
Processes:
explorer.exeexplorer.exepid process 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1028 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe 1216 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exeexplorer.exepid process 1684 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe 1028 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1216 explorer.exe Token: SeBackupPrivilege 980 vssvc.exe Token: SeRestorePrivilege 980 vssvc.exe Token: SeAuditPrivilege 980 vssvc.exe Token: SeDebugPrivilege 1028 explorer.exe Token: SeImpersonatePrivilege 1028 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exeexplorer.exeexplorer.exedescription pid process target process PID 1684 wrote to memory of 1028 1684 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 1684 wrote to memory of 1028 1684 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 1684 wrote to memory of 1028 1684 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 1684 wrote to memory of 1028 1684 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 1028 wrote to memory of 1216 1028 explorer.exe explorer.exe PID 1028 wrote to memory of 1216 1028 explorer.exe explorer.exe PID 1028 wrote to memory of 1216 1028 explorer.exe explorer.exe PID 1028 wrote to memory of 1216 1028 explorer.exe explorer.exe PID 1216 wrote to memory of 2004 1216 explorer.exe vssadmin.exe PID 1216 wrote to memory of 2004 1216 explorer.exe vssadmin.exe PID 1216 wrote to memory of 2004 1216 explorer.exe vssadmin.exe PID 1216 wrote to memory of 2004 1216 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe"C:\Users\Admin\AppData\Local\Temp\75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-0-0x0000000000000000-mapping.dmp
-
memory/1028-3-0x0000000000270000-0x000000000028B000-memory.dmpFilesize
108KB
-
memory/1216-2-0x0000000000000000-mapping.dmp
-
memory/1684-1-0x00000000000E0000-0x00000000000FB000-memory.dmpFilesize
108KB
-
memory/2004-4-0x0000000000000000-mapping.dmp