Analysis
-
max time kernel
124s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe
Resource
win10v20201028
General
-
Target
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe
-
Size
94KB
-
MD5
da4ae503d72a89e54701da53c7ccfdb7
-
SHA1
7aac6048c4c98dd4130295f0b9ccc2015c7c9a49
-
SHA256
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65
-
SHA512
ebfc7f613e95f845d09d00d4ee48230f386a458569c76a0596c1c00a7d5b710045a304cd34ff91487d51a37fbe20b5d9db92479823cbfdec401b65ed4cb13e02
Malware Config
Extracted
C:\872BE-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\Pictures\872BE-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\872BE-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files\Java\jre1.8.0_66\lib\security\872BE-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/4796-1-0x0000000000050000-0x000000000006B000-memory.dmp netwalker_ransomware behavioral2/memory/3552-2-0x0000000003700000-0x000000000371B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 3552 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\872beea1 = "C:\\Program Files (x86)\\872beea1\\872beea1.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exedescription pid process target process PID 4796 set thread context of 3552 4796 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe -
Drops file in Program Files directory 17185 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleSmallTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\fue_2_1.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-fullcolor.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\az_get.svg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125.png explorer.exe File created C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\872BE-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons2x.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\WindowsPhoneReservedAppInfo.xml explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\generic.Messaging.config explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms explorer.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\872BE-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-hover.svg explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Deal\Deal.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-400.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-3x.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\common.lua explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-400.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\styles\WefGalleryOnenote.css explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-150.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\editpdf.svg explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\be_16x11.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\je_16x11.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\skin_en-US_female_TTS.lua explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\872BE-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\872BE-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-200_contrast-white.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-disabled_32.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-80.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\heart.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\WideLogo.scale-100.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.smile.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-24_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4774_48x48x32.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\ui-strings.js explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\872BE-Readme.txt explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\external_extensions.json explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Emboss.scale-100.png explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 644 vssadmin.exe 684 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 25479 IoCs
Processes:
explorer.exeexplorer.exepid process 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 3552 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe 756 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exeexplorer.exepid process 4796 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe 3552 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 756 explorer.exe Token: SeBackupPrivilege 4416 vssvc.exe Token: SeRestorePrivilege 4416 vssvc.exe Token: SeAuditPrivilege 4416 vssvc.exe Token: SeDebugPrivilege 3552 explorer.exe Token: SeImpersonatePrivilege 3552 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exeexplorer.exeexplorer.exedescription pid process target process PID 4796 wrote to memory of 3552 4796 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 4796 wrote to memory of 3552 4796 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 4796 wrote to memory of 3552 4796 75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe explorer.exe PID 3552 wrote to memory of 756 3552 explorer.exe explorer.exe PID 3552 wrote to memory of 756 3552 explorer.exe explorer.exe PID 3552 wrote to memory of 756 3552 explorer.exe explorer.exe PID 756 wrote to memory of 644 756 explorer.exe vssadmin.exe PID 756 wrote to memory of 644 756 explorer.exe vssadmin.exe PID 3552 wrote to memory of 5792 3552 explorer.exe notepad.exe PID 3552 wrote to memory of 5792 3552 explorer.exe notepad.exe PID 3552 wrote to memory of 5792 3552 explorer.exe notepad.exe PID 3552 wrote to memory of 684 3552 explorer.exe vssadmin.exe PID 3552 wrote to memory of 684 3552 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe"C:\Users\Admin\AppData\Local\Temp\75ef9e3e44ac11bb06f499b9f4f43a4cc331887529b81d0e62aef87178ca5e65.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\872BE-Readme.txt"3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\872BE-Readme.txtMD5
cad4d14c42dab959745a641b73c65a42
SHA1e0159d5276935481e59366a89a3d0f6d1cc30582
SHA256bb96fedfce0eb2d059d0a1dc089d65e8731718c2b650f0b1c4991f9aa7e987ef
SHA5126ffe9eb207fed97d774d87b09ac580639d6e03cf4e7f06c7c05d0130a5e0bf54746a26c91150227b4bc9451ed9b8ecf258775f1f7247b9e51e0771a5417c515e
-
memory/644-4-0x0000000000000000-mapping.dmp
-
memory/684-6-0x0000000000000000-mapping.dmp
-
memory/756-3-0x0000000000000000-mapping.dmp
-
memory/3552-0-0x0000000000000000-mapping.dmp
-
memory/3552-2-0x0000000003700000-0x000000000371B000-memory.dmpFilesize
108KB
-
memory/4796-1-0x0000000000050000-0x000000000006B000-memory.dmpFilesize
108KB
-
memory/5792-5-0x0000000000000000-mapping.dmp