Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
3b3b9a18d9b9073e9bc94a6e5367d42a2c248274daa70856e3dc4935106e4218.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3b3b9a18d9b9073e9bc94a6e5367d42a2c248274daa70856e3dc4935106e4218.bin.dll
Resource
win10v20201028
General
-
Target
3b3b9a18d9b9073e9bc94a6e5367d42a2c248274daa70856e3dc4935106e4218.bin.dll
-
Size
57KB
-
MD5
961942a472c2dd70b64f33cbf2244c89
-
SHA1
c7f458f74a063d8dd634f851037b5ba926faa556
-
SHA256
3b3b9a18d9b9073e9bc94a6e5367d42a2c248274daa70856e3dc4935106e4218
-
SHA512
fc90d1c67d540f0d975fbc984ce48786504db50331576e6edaf52b168a5bdf3938e69d4ae151a10ba7618ac8550614e2ea0736c19576d4a15fedc50b70261e84
Malware Config
Extracted
C:\odt\7FF6F3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\7FF6F3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\ProgramData\Microsoft\Network\Downloader\7FF6F3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\7FF6F3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\7FF6F3-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnpublishExpand.crw => C:\Users\Admin\Pictures\UnpublishExpand.crw.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\SkipResume.png => C:\Users\Admin\Pictures\SkipResume.png.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\DisableCheckpoint.raw => C:\Users\Admin\Pictures\DisableCheckpoint.raw.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\FormatWait.png => C:\Users\Admin\Pictures\FormatWait.png.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\OptimizeOut.crw => C:\Users\Admin\Pictures\OptimizeOut.crw.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\CompleteRegister.crw => C:\Users\Admin\Pictures\CompleteRegister.crw.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\HideCompare.tif => C:\Users\Admin\Pictures\HideCompare.tif.7ff6f3 rundll32.exe File renamed C:\Users\Admin\Pictures\CompareEnter.raw => C:\Users\Admin\Pictures\CompareEnter.raw.7ff6f3 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 17189 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\tr_get.svg rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigNose.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_FR-FR.respack rundll32.exe File created C:\Program Files\Microsoft Office\root\Licenses\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-125.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-200.png rundll32.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo rundll32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.scale-125.png rundll32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-125.png rundll32.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms rundll32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALN.TTF rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-press.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\ui-strings.js rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7260_20x20x32.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30_altform-unplated.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\ui-strings.js rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-100.png rundll32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\JpegSurface\JpegControl.xaml rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS rundll32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa rundll32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6449_32x32x32.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml rundll32.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management\7FF6F3-Readme.txt rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\plugin-selectors.css rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text.png rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms rundll32.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\OneConnectSplashScreen.scale-100.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated_contrast-high.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Tips_3.jpg rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-40.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-125.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d2.png rundll32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-125.png rundll32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms rundll32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-72.png rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3070 IoCs
Processes:
rundll32.exepid process 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1316 rundll32.exe Token: SeImpersonatePrivilege 1316 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1148 wrote to memory of 1316 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1316 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1316 1148 rundll32.exe rundll32.exe PID 1316 wrote to memory of 2440 1316 rundll32.exe notepad.exe PID 1316 wrote to memory of 2440 1316 rundll32.exe notepad.exe PID 1316 wrote to memory of 2440 1316 rundll32.exe notepad.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3b9a18d9b9073e9bc94a6e5367d42a2c248274daa70856e3dc4935106e4218.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3b9a18d9b9073e9bc94a6e5367d42a2c248274daa70856e3dc4935106e4218.bin.dll,#12⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\7FF6F3-Readme.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\7FF6F3-Readme.txtMD5
30b7e033c15b50e32216baf8dacdbb87
SHA1d8ad9b11cfb04f51f59fb67c1d96b02c4170e29e
SHA256740cbda8cfd8aa2027bd2618f81fa994970d4dfaa8c5583ae44d15f938fdeef3
SHA512a30cb75bedfef3d01bcb4417c2e23d33a3085754cdd0f62576bc2926a642cf5fd989c4ceec8433c34d147e0acfc39cd2d716a57228356e35b7e7f16efe918442
-
memory/1316-0-0x0000000000000000-mapping.dmp
-
memory/2440-8-0x0000000000000000-mapping.dmp