Analysis
-
max time kernel
161s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18.bin.dll
Resource
win10v20201028
General
-
Target
664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18.bin.dll
-
Size
93KB
-
MD5
747dc998c4cf60c6d40a77de18a9aa62
-
SHA1
0e76db2d2a61b5983c295bb325049b64e74b40ba
-
SHA256
664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18
-
SHA512
795d39c4515c6f1d396b49257d15c21a95a83a0953cfab8a0b3fb70b7f1c8167f49e3f18bec8ac4cc3ca8fb5455c53ecd3eb079bc7d41ce8a7be0c0611ff7dcd
Malware Config
Extracted
C:\Program Files (x86)\Common Files\Adobe AIR\AACA98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Users\Admin\Desktop\AACA98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\AACA98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\AACA98-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompareUnpublish.raw => C:\Users\Admin\Pictures\CompareUnpublish.raw.aaca98 rundll32.exe File renamed C:\Users\Admin\Pictures\ConvertFromUnlock.raw => C:\Users\Admin\Pictures\ConvertFromUnlock.raw.aaca98 rundll32.exe File renamed C:\Users\Admin\Pictures\DisableRedo.png => C:\Users\Admin\Pictures\DisableRedo.png.aaca98 rundll32.exe File renamed C:\Users\Admin\Pictures\ExpandMount.crw => C:\Users\Admin\Pictures\ExpandMount.crw.aaca98 rundll32.exe File renamed C:\Users\Admin\Pictures\PopSet.tif => C:\Users\Admin\Pictures\PopSet.tif.aaca98 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 7484 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13 rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10335_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar rundll32.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\AACA98-Readme.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188519.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml rundll32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\AACA98-Readme.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8 rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml rundll32.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\AACA98-Readme.txt rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00629_.WMF rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12 rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Recife rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.XML rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02067_.WMF rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153091.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101980.WMF rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WHOOSH.WAV rundll32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN026.XML rundll32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11 rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz rundll32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html rundll32.exe -
Suspicious behavior: EnumeratesProcesses 216 IoCs
Processes:
rundll32.exepid process 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe 1200 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1200 rundll32.exe Token: SeImpersonatePrivilege 1200 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1200 wrote to memory of 316 1200 rundll32.exe notepad.exe PID 1200 wrote to memory of 316 1200 rundll32.exe notepad.exe PID 1200 wrote to memory of 316 1200 rundll32.exe notepad.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\664a129052f024acaca3ca8df9b52a432e2172678b1f80af82fcd2ec9d642e18.bin.dll,#11⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\AACA98-Readme.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-0-0x0000000000000000-mapping.dmp