Analysis
-
max time kernel
151s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe
Resource
win10v20201028
General
-
Target
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe
-
Size
82KB
-
MD5
bb9d6ca0aa3f5fbc9cd50b7d6388f29c
-
SHA1
b4e254dd5d6243bc7a006541d9f5db0aa10dbe72
-
SHA256
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5
-
SHA512
34c344bb22fa1797f81eeccea896fc90f4563b8d8fbb5da45f8a64f7f63b452fbbc4df46db6e3865a18c2bd5f4436ec2e6552129b018a6286a75f5419fc7cdbb
Malware Config
Extracted
C:\Users\Public\Libraries\1CE26-Readme.txt
netwalker
kazkavkovkiz@cock.li
Hariliuios@tutanota.com
Extracted
C:\Users\Default\1CE26-Readme.txt
netwalker
kazkavkovkiz@cock.li
Hariliuios@tutanota.com
Extracted
C:\Program Files\7-Zip\Lang\1CE26-Readme.txt
netwalker
kazkavkovkiz@cock.li
Hariliuios@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/656-1-0x00000000009A0000-0x00000000009B9000-memory.dmp netwalker_ransomware behavioral2/memory/2216-2-0x00000000031E0000-0x00000000031F9000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BackupMeasure.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2216 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ce26960 = "C:\\Program Files (x86)\\1ce26960\\1ce26960.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exedescription pid process target process PID 656 set thread context of 2216 656 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe -
Drops file in Program Files directory 13816 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\_Resources\0.rsrc explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxManifest.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.contrast-white_scale-125.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\ui-strings.js explorer.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\1CE26-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat explorer.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml explorer.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\1CE26-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT explorer.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\HandPrints.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.sad.small.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6924_24x24x32.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Pyramid\Goal_1.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100_contrast-high.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSmallTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7ce.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\1CE26-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\Colored_VS.fxo explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96.png explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\1CE26-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Dark.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\pencilbox.3mf explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Extreme_Altitude_.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-150.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dc.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_11d.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\1CE26-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\AppxManifest.xml explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\1CE26-Readme.txt explorer.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\179.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-16.png explorer.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\es_60x42.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargeSpiderTile.jpg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2210_24x24x32.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\README.md explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookSmallTile.scale-150.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Registry.dat explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-400.png explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3392 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 39618 IoCs
Processes:
explorer.exeexplorer.exepid process 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 2216 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe 3212 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exeexplorer.exepid process 656 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe 2216 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
explorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 3212 explorer.exe Token: SeBackupPrivilege 3284 vssvc.exe Token: SeRestorePrivilege 3284 vssvc.exe Token: SeAuditPrivilege 3284 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exeexplorer.exeexplorer.exedescription pid process target process PID 656 wrote to memory of 2216 656 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 656 wrote to memory of 2216 656 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 656 wrote to memory of 2216 656 a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe explorer.exe PID 2216 wrote to memory of 3212 2216 explorer.exe explorer.exe PID 2216 wrote to memory of 3212 2216 explorer.exe explorer.exe PID 2216 wrote to memory of 3212 2216 explorer.exe explorer.exe PID 3212 wrote to memory of 3392 3212 explorer.exe vssadmin.exe PID 3212 wrote to memory of 3392 3212 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe"C:\Users\Admin\AppData\Local\Temp\a8c4b8096fd12078acf5f08230e561381fe8d0859a5949825ab411f6312f5da5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-1-0x00000000009A0000-0x00000000009B9000-memory.dmpFilesize
100KB
-
memory/2216-0-0x0000000000000000-mapping.dmp
-
memory/2216-2-0x00000000031E0000-0x00000000031F9000-memory.dmpFilesize
100KB
-
memory/3212-3-0x0000000000000000-mapping.dmp
-
memory/3392-4-0x0000000000000000-mapping.dmp