Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe
Resource
win10v20201028
General
-
Target
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe
-
Size
82KB
-
MD5
bb9d6ca0aa3f5fbc9cd50b7d6388f29c
-
SHA1
b4e254dd5d6243bc7a006541d9f5db0aa10dbe72
-
SHA256
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5
-
SHA512
34c344bb22fa1797f81eeccea896fc90f4563b8d8fbb5da45f8a64f7f63b452fbbc4df46db6e3865a18c2bd5f4436ec2e6552129b018a6286a75f5419fc7cdbb
Malware Config
Extracted
C:\D67DC-Readme.txt
netwalker
kazkavkovkiz@cock.li
Hariliuios@tutanota.com
Extracted
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\D67DC-Readme.txt
netwalker
kazkavkovkiz@cock.li
Hariliuios@tutanota.com
Extracted
C:\Users\Admin\Music\D67DC-Readme.txt
netwalker
kazkavkovkiz@cock.li
Hariliuios@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1096-1-0x0000000000070000-0x0000000000089000-memory.dmp netwalker_ransomware behavioral1/memory/1572-3-0x00000000001B0000-0x00000000001C9000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindStep.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1572 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d67dc487 = "C:\\Program Files (x86)\\d67dc487\\d67dc487.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exeexplorer.exedescription pid process target process PID 1096 set thread context of 1572 1096 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 1572 set thread context of 2000 1572 explorer.exe explorer.exe -
Drops file in Program Files directory 9498 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png explorer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Earthy.css explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\D67DC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guatemala explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00646_.WMF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF explorer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\RPT2HTM4.XSL explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF explorer.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\include\D67DC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME15.CSS explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF explorer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF explorer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233312.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html explorer.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml explorer.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\D67DC-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\meta-index explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02263_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\macroprogress.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar explorer.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Maputo explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2040 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 15169 IoCs
Processes:
explorer.exeexplorer.exepid process 1572 explorer.exe 1572 explorer.exe 1572 explorer.exe 1572 explorer.exe 1572 explorer.exe 1572 explorer.exe 1572 explorer.exe 1572 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exeexplorer.exepid process 1096 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe 1572 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
explorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 2000 explorer.exe Token: SeBackupPrivilege 1712 vssvc.exe Token: SeRestorePrivilege 1712 vssvc.exe Token: SeAuditPrivilege 1712 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exeexplorer.exeexplorer.exedescription pid process target process PID 1096 wrote to memory of 1572 1096 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 1096 wrote to memory of 1572 1096 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 1096 wrote to memory of 1572 1096 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 1096 wrote to memory of 1572 1096 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 1572 wrote to memory of 2000 1572 explorer.exe explorer.exe PID 1572 wrote to memory of 2000 1572 explorer.exe explorer.exe PID 1572 wrote to memory of 2000 1572 explorer.exe explorer.exe PID 1572 wrote to memory of 2000 1572 explorer.exe explorer.exe PID 2000 wrote to memory of 2040 2000 explorer.exe vssadmin.exe PID 2000 wrote to memory of 2040 2000 explorer.exe vssadmin.exe PID 2000 wrote to memory of 2040 2000 explorer.exe vssadmin.exe PID 2000 wrote to memory of 2040 2000 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe"C:\Users\Admin\AppData\Local\Temp\a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-1-0x0000000000070000-0x0000000000089000-memory.dmpFilesize
100KB
-
memory/1572-0-0x0000000000000000-mapping.dmp
-
memory/1572-3-0x00000000001B0000-0x00000000001C9000-memory.dmpFilesize
100KB
-
memory/2000-2-0x0000000000000000-mapping.dmp
-
memory/2040-4-0x0000000000000000-mapping.dmp