d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

General
Target

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

Size

76KB

Sample

201109-x2verda51j

Score
10 /10
MD5

604e4eeb6966e6285d9cef769feca7ca

SHA1

0c21972f5299b944d808e7572249a97ad6312f0e

SHA256

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

SHA512

5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4

Malware Config

Extracted

Path C:\77D077-Readme.txt
Ransom Note
++++++++++++++++++++++++++++++++++++++++++++++NetWalker Ransomware++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 77d077. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokbiglock@cock.li 2.koktiktok@tuta.io Be sure to include your personal code in the letter: {key_77d077:EQAAADc3RDA3Ny1SZWFkbWUudHh0IgAAAC5tYWlsdG9ba29rYm lnbG9ja0Bjb2NrLmxpXS43N2QwNzdZqB4bgLwo7vZgUzMqM4x+ 8rhp1gZ2INkiP32PnALIZ1wg2VozxUQ1AgfhlT0ECy9jGAxWbT C+0COeIT7YJI3+EISZmmDWTqeH9xtK5W3arfmBsZaT7OL9ZrPM KL3YKCRy317BJ5fAogE8wV78pD7x}
Emails

1.kokbiglock@cock.li

2.koktiktok@tuta.io

Extracted

Path C:\Users\Admin\Downloads\39FD23-Readme.txt
Ransom Note
++++++++++++++++++++++++++++++++++++++++++++++NetWalker Ransomware++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 39fd23. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokbiglock@cock.li 2.koktiktok@tuta.io Be sure to include your personal code in the letter: {key_39fd23:EQAAADM5RkQyMy1SZWFkbWUudHh0IgAAAC5tYWlsdG9ba29rYm lnbG9ja0Bjb2NrLmxpXS4zOWZkMjNZqB4bTX8S5AlNHyRZ1Yg1 3FJzDKwRjBlSE6b0XgSFlfR3VBbvTJ8K4klof4FYMXbuBGKHQM u3DtBne6356tvOrWvXgpB4+NuvLt2jy9OXluehnBNBy2NUHlyh fkpRI2jzjQknKfnpc3Mboa3DzVjk}
Emails

1.kokbiglock@cock.li

2.koktiktok@tuta.io

Targets
Target

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

MD5

604e4eeb6966e6285d9cef769feca7ca

Filesize

76KB

Score
10/10
SHA1

0c21972f5299b944d808e7572249a97ad6312f0e

SHA256

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

SHA512

5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4

Tags

Signatures

  • Detected Netwalker Ransomware

    Description

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Description

    Ransomware family with multiple versions. Also known as MailTo.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies extensions of user files

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

  • Deletes itself

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies service

    Tags

    TTPs

    Modify RegistryModify Existing Service
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    10/10

                    behavioral1

                    10/10

                    behavioral2

                    10/10