netwalker | d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

General

Target

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
Size

76KB
MD5

604e4eeb6966e6285d9cef769feca7ca
SHA1

0c21972f5299b944d808e7572249a97ad6312f0e
SHA256

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
SHA512

5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4

Score

10^/10

netwalker persistence ransomware

Malware Config

Extracted

Path

C:\77D077-Readme.txt

Ransom Note

++++++++++++++++++++++++++++++++++++++++++++++NetWalker Ransomware++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 77d077. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokbiglock@cock.li 2.koktiktok@tuta.io Be sure to include your personal code in the letter: {key_77d077:EQAAADc3RDA3Ny1SZWFkbWUudHh0IgAAAC5tYWlsdG9ba29rYm lnbG9ja0Bjb2NrLmxpXS43N2QwNzdZqB4bgLwo7vZgUzMqM4x+ 8rhp1gZ2INkiP32PnALIZ1wg2VozxUQ1AgfhlT0ECy9jGAxWbT C+0COeIT7YJI3+EISZmmDWTqeH9xtK5W3arfmBsZaT7OL9ZrPM KL3YKCRy317BJ5fAogE8wV78pD7x}

Emails

1.kokbiglock@cock.li

2.koktiktok@tuta.io

Signatures

Detected Netwalker Ransomware 2 IoCs

Detected unpacked Netwalker executable.

Processes:

resource	yara_rule
behavioral1/memory/1744-1-0x00000000000E0000-0x00000000000F7000-memory.dmp	netwalker_ransomware
behavioral1/memory/1380-3-0x0000000000230000-0x0000000000247000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1380 explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\77d07759ad = "C:\\Program Files (x86)\\77d07759ad\\77d07759ad.exe"	explorer.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exe

description	pid	process	target process
PID 1744 set thread context of 1380	1744	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 1380 set thread context of 1992	1380	explorer.exe	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Program Files (x86)\77d07759ad\77d07759ad.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\77d07759ad\77d07759ad.exe	explorer.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2224 vssadmin.exe
2156 vssadmin.exe

pid	process
2224	vssadmin.exe
2156	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 330 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exe

pid process

1744 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
1380 explorer.exe

pid	process
1744	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
1380	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exeexplorer.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1380	explorer.exe
Token: SeImpersonatePrivilege	1380	explorer.exe
Token: SeDebugPrivilege	1992	explorer.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1744 wrote to memory of 1380	1744	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 1744 wrote to memory of 1380	1744	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 1744 wrote to memory of 1380	1744	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 1744 wrote to memory of 1380	1744	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 1380 wrote to memory of 1992	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1992	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1992	1380	explorer.exe	explorer.exe
PID 1380 wrote to memory of 1992	1380	explorer.exe	explorer.exe
PID 1992 wrote to memory of 2224	1992	explorer.exe	vssadmin.exe
PID 1992 wrote to memory of 2224	1992	explorer.exe	vssadmin.exe
PID 1992 wrote to memory of 2224	1992	explorer.exe	vssadmin.exe
PID 1992 wrote to memory of 2224	1992	explorer.exe	vssadmin.exe
PID 1380 wrote to memory of 2104	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2104	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2104	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2104	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2120	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2120	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2120	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2120	1380	explorer.exe	notepad.exe
PID 1380 wrote to memory of 2156	1380	explorer.exe	vssadmin.exe
PID 1380 wrote to memory of 2156	1380	explorer.exe	vssadmin.exe
PID 1380 wrote to memory of 2156	1380	explorer.exe	vssadmin.exe
PID 1380 wrote to memory of 2156	1380	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
"C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2224

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\77D077-Readme.txt
3⤵
PID:2104

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\77D077-Readme.txt
3⤵
PID:2120

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\77D077-Readme.txt
MD5
3571fed2ae670dac51a892d2749607f1

SHA1
bff99eeae370885bb193f0017a2b514ec44def27

SHA256
ff958be10f9868aed29a77492ec0b14d37bd446c4de8349f40e81479b1438e09

SHA512
b238d4966f614bcf78175cd5f895da7f6cf0b4a610fb58a06b3f2b087537709b058df7591c46562fa73ceb8776cbf65908da61972d3f2164803da2f6fb783eb3

Download Submit
C:\Users\Admin\Desktop\77D077-Readme.txt
MD5
3571fed2ae670dac51a892d2749607f1

SHA1
bff99eeae370885bb193f0017a2b514ec44def27

SHA256
ff958be10f9868aed29a77492ec0b14d37bd446c4de8349f40e81479b1438e09

SHA512
b238d4966f614bcf78175cd5f895da7f6cf0b4a610fb58a06b3f2b087537709b058df7591c46562fa73ceb8776cbf65908da61972d3f2164803da2f6fb783eb3

Download Submit
memory/1380-0-0x0000000000000000-mapping.dmp

Download
memory/1380-3-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/1744-1-0x00000000000E0000-0x00000000000F7000-memory.dmp

Filesize
92KB

Download
memory/1992-2-0x0000000000000000-mapping.dmp

Download
memory/2104-5-0x0000000000000000-mapping.dmp

Download
memory/2120-7-0x0000000000000000-mapping.dmp

Download
memory/2156-10-0x0000000000000000-mapping.dmp

Download
memory/2224-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads