Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe
Resource
win10v20201028
General
-
Target
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe
-
Size
91KB
-
MD5
b0008e752f488d7e97a8d2452411527e
-
SHA1
56d655932ebbf59bfcc49ca2afc78db16cb7b889
-
SHA256
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd
-
SHA512
667bca43c63e1602aeb61bcf72eb9dbd86ad42063cebe8dc179a46c5bea723abdaafb75b5713f3cbba5e7e610a85b1c50beb47056250016e79a1b8a03d644bdf
Malware Config
Extracted
C:\614B0-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files\Java\jdk1.7.0_80\include\614B0-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\614B0-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1008-1-0x0000000000160000-0x000000000017B000-memory.dmp netwalker_ransomware behavioral1/memory/1840-4-0x0000000000230000-0x000000000024B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1840 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\614b0a13 = "C:\\Program Files (x86)\\614b0a13\\614b0a13.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exeexplorer.exedescription pid process target process PID 1008 set thread context of 1840 1008 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1840 set thread context of 2036 1840 explorer.exe explorer.exe -
Drops file in Program Files directory 7489 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARDHM.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01044_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\YST9 explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html explorer.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\614B0-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01797_.WMF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\614B0-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\classlist explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107148.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02371_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01184_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Tasks.accdt explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt explorer.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\614B0-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107658.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg explorer.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\jaccess.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF explorer.exe File opened for modification C:\Program Files\7-Zip\readme.txt explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sl.pak explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME06.CSS explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2004 vssadmin.exe 1176 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 20248 IoCs
Processes:
explorer.exeexplorer.exepid process 1840 explorer.exe 1840 explorer.exe 1840 explorer.exe 1840 explorer.exe 1840 explorer.exe 1840 explorer.exe 1840 explorer.exe 1840 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exeexplorer.exepid process 1008 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe 1840 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 1840 explorer.exe Token: SeDebugPrivilege 2036 explorer.exe Token: SeBackupPrivilege 1764 vssvc.exe Token: SeRestorePrivilege 1764 vssvc.exe Token: SeAuditPrivilege 1764 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exeexplorer.exeexplorer.exedescription pid process target process PID 1008 wrote to memory of 1840 1008 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1008 wrote to memory of 1840 1008 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1008 wrote to memory of 1840 1008 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1008 wrote to memory of 1840 1008 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1840 wrote to memory of 2004 1840 explorer.exe vssadmin.exe PID 1840 wrote to memory of 2004 1840 explorer.exe vssadmin.exe PID 1840 wrote to memory of 2004 1840 explorer.exe vssadmin.exe PID 1840 wrote to memory of 2004 1840 explorer.exe vssadmin.exe PID 1840 wrote to memory of 2036 1840 explorer.exe explorer.exe PID 1840 wrote to memory of 2036 1840 explorer.exe explorer.exe PID 1840 wrote to memory of 2036 1840 explorer.exe explorer.exe PID 1840 wrote to memory of 2036 1840 explorer.exe explorer.exe PID 2036 wrote to memory of 1176 2036 explorer.exe vssadmin.exe PID 2036 wrote to memory of 1176 2036 explorer.exe vssadmin.exe PID 2036 wrote to memory of 1176 2036 explorer.exe vssadmin.exe PID 2036 wrote to memory of 1176 2036 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe"C:\Users\Admin\AppData\Local\Temp\5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-1-0x0000000000160000-0x000000000017B000-memory.dmpFilesize
108KB
-
memory/1176-5-0x0000000000000000-mapping.dmp
-
memory/1840-0-0x0000000000000000-mapping.dmp
-
memory/1840-4-0x0000000000230000-0x000000000024B000-memory.dmpFilesize
108KB
-
memory/2004-2-0x0000000000000000-mapping.dmp
-
memory/2036-3-0x0000000000000000-mapping.dmp