Analysis
-
max time kernel
15s -
max time network
18s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
Resource
win10v20201028
General
-
Target
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
-
Size
76KB
-
MD5
604e4eeb6966e6285d9cef769feca7ca
-
SHA1
0c21972f5299b944d808e7572249a97ad6312f0e
-
SHA256
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
-
SHA512
5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4
Malware Config
Extracted
C:\77D077-Readme.txt
1.kokbiglock@cock.li
2.koktiktok@tuta.io
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1744-1-0x00000000000E0000-0x00000000000F7000-memory.dmp netwalker_ransomware behavioral1/memory/1380-3-0x0000000000230000-0x0000000000247000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1380 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77d07759ad = "C:\\Program Files (x86)\\77d07759ad\\77d07759ad.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exedescription pid process target process PID 1744 set thread context of 1380 1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 1380 set thread context of 1992 1380 explorer.exe explorer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Program Files (x86)\77d07759ad\77d07759ad.exe explorer.exe File opened for modification C:\Program Files (x86)\77d07759ad\77d07759ad.exe explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2224 vssadmin.exe 2156 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 330 IoCs
Processes:
explorer.exeexplorer.exepid process 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1380 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exepid process 1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe 1380 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 1380 explorer.exe Token: SeImpersonatePrivilege 1380 explorer.exe Token: SeDebugPrivilege 1992 explorer.exe Token: SeBackupPrivilege 2560 vssvc.exe Token: SeRestorePrivilege 2560 vssvc.exe Token: SeAuditPrivilege 2560 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exeexplorer.exedescription pid process target process PID 1744 wrote to memory of 1380 1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 1744 wrote to memory of 1380 1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 1744 wrote to memory of 1380 1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 1744 wrote to memory of 1380 1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 1380 wrote to memory of 1992 1380 explorer.exe explorer.exe PID 1380 wrote to memory of 1992 1380 explorer.exe explorer.exe PID 1380 wrote to memory of 1992 1380 explorer.exe explorer.exe PID 1380 wrote to memory of 1992 1380 explorer.exe explorer.exe PID 1992 wrote to memory of 2224 1992 explorer.exe vssadmin.exe PID 1992 wrote to memory of 2224 1992 explorer.exe vssadmin.exe PID 1992 wrote to memory of 2224 1992 explorer.exe vssadmin.exe PID 1992 wrote to memory of 2224 1992 explorer.exe vssadmin.exe PID 1380 wrote to memory of 2104 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2104 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2104 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2104 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2120 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2120 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2120 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2120 1380 explorer.exe notepad.exe PID 1380 wrote to memory of 2156 1380 explorer.exe vssadmin.exe PID 1380 wrote to memory of 2156 1380 explorer.exe vssadmin.exe PID 1380 wrote to memory of 2156 1380 explorer.exe vssadmin.exe PID 1380 wrote to memory of 2156 1380 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe"C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\77D077-Readme.txt3⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\77D077-Readme.txt3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\77D077-Readme.txtMD5
3571fed2ae670dac51a892d2749607f1
SHA1bff99eeae370885bb193f0017a2b514ec44def27
SHA256ff958be10f9868aed29a77492ec0b14d37bd446c4de8349f40e81479b1438e09
SHA512b238d4966f614bcf78175cd5f895da7f6cf0b4a610fb58a06b3f2b087537709b058df7591c46562fa73ceb8776cbf65908da61972d3f2164803da2f6fb783eb3
-
C:\Users\Admin\Desktop\77D077-Readme.txtMD5
3571fed2ae670dac51a892d2749607f1
SHA1bff99eeae370885bb193f0017a2b514ec44def27
SHA256ff958be10f9868aed29a77492ec0b14d37bd446c4de8349f40e81479b1438e09
SHA512b238d4966f614bcf78175cd5f895da7f6cf0b4a610fb58a06b3f2b087537709b058df7591c46562fa73ceb8776cbf65908da61972d3f2164803da2f6fb783eb3
-
memory/1380-0-0x0000000000000000-mapping.dmp
-
memory/1380-3-0x0000000000230000-0x0000000000247000-memory.dmpFilesize
92KB
-
memory/1744-1-0x00000000000E0000-0x00000000000F7000-memory.dmpFilesize
92KB
-
memory/1992-2-0x0000000000000000-mapping.dmp
-
memory/2104-5-0x0000000000000000-mapping.dmp
-
memory/2120-7-0x0000000000000000-mapping.dmp
-
memory/2156-10-0x0000000000000000-mapping.dmp
-
memory/2224-4-0x0000000000000000-mapping.dmp