209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe

General
Target

209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe

Size

94KB

Sample

201109-rmpqsb5nkx

Score
10 /10
MD5

69f1172b3f31746992b86467578d5ab2

SHA1

f24491dc99ad02f0d1c502b312df0b51670db738

SHA256

209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe

SHA512

a893f5d07f3db175eec9441197b499ce856a089386a2d95f0dd4cd37734e060f9216125425f229841e8a8c825dddc2c26e82ccd41d802d7f55dbf0ea321b7c46

Malware Config

Extracted

Path C:\DC9F2-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .dc9f2 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_d4d5fe82_dc9f2: iocEXFd0eVvu+0dt9h/64qqHfXRhfipyd3MU+svlV3IGrA+5EJ 4HBdr2G6L3eftvfrRBg60iCj5K9aY9+pi22x6z/wVon5UAgv7V 1FjhImKfEhM+FHRPkDJ4kXOcwhJi7Jckon6ewFsAKqr6+tRjkt 9C7jzH9hMpobbydTcGGDnv9TFCZXIY6ECP7XmGoofelfAmwNWz hMdNM5nkGwS8BiJj+6ttt42BP7KEzcD2JoT3Dm3zXj8wemWsfR Bv8DamAMwD3UhAIye/npsSlacQDuWqZmo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path C:\Program Files (x86)\Microsoft Office\Templates\1033\DC9F2-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .dc9f2 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_d4d5fe82_dc9f2: iocEXFd0eVvu+0dt9h/64qqHfXRhfipyd3MU+svlV3IGrA+5EJ 4HBdr2G6L3eftvfrRBg60iCj5K9aY9+pi22x6z/wVon5UAgv7V 1FjhImKfEhM+FHRPkDJ4kXOcwhJi7Jckon6ewFsAKqr6+tRjkt 9C7jzH9hMpobbydTcGGDnv9TFCZXIY6ECP7XmGoofelfAmwNWz hMdNM5nkGwS8BiJj+6ttt42BP7KEzcD2JoT3Dm3zXj8wemWsfR Bv8DamAMwD3UhAIye/npsSlacQDuWqZmo=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .dc9f2 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_d4d5fe82_dc9f2: iocEXFd0eVvu+0dt9h/64qqHfXRhfipyd3MU+svlV3IGrA+5EJ 4HBdr2G6L3eftvfrRBg60iCj5K9aY9+pi22x6z/wVon5UAgv7V 1FjhImKfEhM+FHRPkDJ4kXOcwhJi7Jckon6ewFsAKqr6+tRjkt 9C7jzH9hMpobbydTcGGDnv9TFCZXIY6ECP7XmGoofelfAmwNWz hMdNM5nkGwS8BiJj+6ttt42BP7KEzcD2JoT3Dm3zXj8wemWsfR Bv8DamAMwD3UhAIye/npsSlacQDuWqZmo=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path C:\Users\Public\Libraries\CBC76-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .cbc76 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_d4d5fe82_cbc76: YHuSxON0Sn18R5rLUQIvfGqq28BzNlqwLUOR8cvq1mb2VxMdMp eFs/ECq1rXhJ24oa+jjEjLuvPOLBejsve7nATWDZORQT45gv7V 1FuC0v4g7w/XKhUeUTmEG2vYIzwnT3RrgiRdNhMC9fFg43DU8/ ySqopWEmVEkHCWbH2v81+c8HG3iCmKwu5oYji+x28sMiqZ54br LHatEJrHH+bl5pHMLsxHUqO2EYxsJumzxQeueNVR2BDWP/s/Lm TPdiUrhB/T4efKVWsPyv4UBT4zmFtIylw=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Extracted

Path C:\Users\Admin\Music\CBC76-Readme.txt
Family netwalker
Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .cbc76 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_d4d5fe82_cbc76: YHuSxON0Sn18R5rLUQIvfGqq28BzNlqwLUOR8cvq1mb2VxMdMp eFs/ECq1rXhJ24oa+jjEjLuvPOLBejsve7nATWDZORQT45gv7V 1FuC0v4g7w/XKhUeUTmEG2vYIzwnT3RrgiRdNhMC9fFg43DU8/ ySqopWEmVEkHCWbH2v81+c8HG3iCmKwu5oYji+x28sMiqZ54br LHatEJrHH+bl5pHMLsxHUqO2EYxsJumzxQeueNVR2BDWP/s/Lm TPdiUrhB/T4efKVWsPyv4UBT4zmFtIylw=}Hi! Your files are encrypted. All encrypted files for this computer has extension: .cbc76 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Сontact us: 1.sevenoneone@cock.li 2.kavariusing@tutanota.com Don't forget to include your code in the email: {code_d4d5fe82_cbc76: YHuSxON0Sn18R5rLUQIvfGqq28BzNlqwLUOR8cvq1mb2VxMdMp eFs/ECq1rXhJ24oa+jjEjLuvPOLBejsve7nATWDZORQT45gv7V 1FuC0v4g7w/XKhUeUTmEG2vYIzwnT3RrgiRdNhMC9fFg43DU8/ ySqopWEmVEkHCWbH2v81+c8HG3iCmKwu5oYji+x28sMiqZ54br LHatEJrHH+bl5pHMLsxHUqO2EYxsJumzxQeueNVR2BDWP/s/Lm TPdiUrhB/T4efKVWsPyv4UBT4zmFtIylw=}
Emails

sevenoneone@cock.li

kavariusing@tutanota.com

Targets
Target

209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe

MD5

69f1172b3f31746992b86467578d5ab2

Filesize

94KB

Score
10/10
SHA1

f24491dc99ad02f0d1c502b312df0b51670db738

SHA256

209779474d4b8e7246245092e7d094ce5730c5c1d36bc03d9b8120f211dc3ebe

SHA512

a893f5d07f3db175eec9441197b499ce856a089386a2d95f0dd4cd37734e060f9216125425f229841e8a8c825dddc2c26e82ccd41d802d7f55dbf0ea321b7c46

Tags

Signatures

  • Detected Netwalker Ransomware

    Description

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies service

    Tags

    TTPs

    Modify RegistryModify Existing Service
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Initial Access
            Lateral Movement
              Privilege Escalation
                Tasks