netwalker | d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c

General

Target

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
Size

76KB
MD5

604e4eeb6966e6285d9cef769feca7ca
SHA1

0c21972f5299b944d808e7572249a97ad6312f0e
SHA256

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
SHA512

5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4

Score

10^/10

netwalker persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\39FD23-Readme.txt

Ransom Note

++++++++++++++++++++++++++++++++++++++++++++++NetWalker Ransomware++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion 39fd23. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: 1.kokbiglock@cock.li 2.koktiktok@tuta.io Be sure to include your personal code in the letter: {key_39fd23:EQAAADM5RkQyMy1SZWFkbWUudHh0IgAAAC5tYWlsdG9ba29rYm lnbG9ja0Bjb2NrLmxpXS4zOWZkMjNZqB4bTX8S5AlNHyRZ1Yg1 3FJzDKwRjBlSE6b0XgSFlfR3VBbvTJ8K4klof4FYMXbuBGKHQM u3DtBne6356tvOrWvXgpB4+NuvLt2jy9OXluehnBNBy2NUHlyh fkpRI2jzjQknKfnpc3Mboa3DzVjk}

Emails

1.kokbiglock@cock.li

2.koktiktok@tuta.io

Signatures

Detected Netwalker Ransomware 2 IoCs

Detected unpacked Netwalker executable.

Processes:

resource	yara_rule
behavioral2/memory/644-1-0x0000000001030000-0x0000000001047000-memory.dmp	netwalker_ransomware
behavioral2/memory/2588-2-0x0000000004B80000-0x0000000004B97000-memory.dmp	netwalker_ransomware

Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
ransomware netwalker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\FindAssert.tiff	explorer.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRequest.tiff	explorer.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2588 explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39fd232111 = "C:\\Program Files (x86)\\39fd232111\\39fd232111.exe"	explorer.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe

description	pid	process	target process
PID 644 set thread context of 2588	644	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe

Drops file in Program Files directory 2 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Program Files (x86)\39fd232111\39fd232111.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\39fd232111\39fd232111.exe	explorer.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4652 vssadmin.exe
956 vssadmin.exe

pid	process
4652	vssadmin.exe
956	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7382 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
2588	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exe

pid process

644 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
2588 explorer.exe

pid	process
644	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
2588	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

explorer.exeexplorer.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2588	explorer.exe
Token: SeImpersonatePrivilege	2588	explorer.exe
Token: SeDebugPrivilege	580	explorer.exe
Token: SeBackupPrivilege	4172	vssvc.exe
Token: SeRestorePrivilege	4172	vssvc.exe
Token: SeAuditPrivilege	4172	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 644 wrote to memory of 2588	644	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 644 wrote to memory of 2588	644	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 644 wrote to memory of 2588	644	d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe	explorer.exe
PID 2588 wrote to memory of 580	2588	explorer.exe	explorer.exe
PID 2588 wrote to memory of 580	2588	explorer.exe	explorer.exe
PID 2588 wrote to memory of 580	2588	explorer.exe	explorer.exe
PID 580 wrote to memory of 4652	580	explorer.exe	vssadmin.exe
PID 580 wrote to memory of 4652	580	explorer.exe	vssadmin.exe
PID 2588 wrote to memory of 5052	2588	explorer.exe	notepad.exe
PID 2588 wrote to memory of 5052	2588	explorer.exe	notepad.exe
PID 2588 wrote to memory of 5052	2588	explorer.exe	notepad.exe
PID 2588 wrote to memory of 3632	2588	explorer.exe	notepad.exe
PID 2588 wrote to memory of 3632	2588	explorer.exe	notepad.exe
PID 2588 wrote to memory of 3632	2588	explorer.exe	notepad.exe
PID 2588 wrote to memory of 956	2588	explorer.exe	vssadmin.exe
PID 2588 wrote to memory of 956	2588	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
"C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4652

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\39FD23-Readme.txt
3⤵
PID:5052

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\39FD23-Readme.txt
3⤵
PID:3632

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:4172

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\39FD23-Readme.txt
MD5
143bec45c32565adb5386a5d3f8aa3bd

SHA1
45934a90b1fa251b4c9c69e2f6249d80ef3cfddd

SHA256
dc505467a49b26d32462cfacf7651ed0d3e97d55a61513657b2ff060df2d4bb9

SHA512
bcc2c32f4427c2779ac1bb49d32176cda8bfe3fd6ba0ef4907185376b4c63dfbe1bbc849ad1781106cd921c43bffe3c7ab05bf8118158e53818620c731dfa704

Download Submit
memory/580-3-0x0000000000000000-mapping.dmp

Download
memory/644-1-0x0000000001030000-0x0000000001047000-memory.dmp

Filesize
92KB

Download
memory/956-7-0x0000000000000000-mapping.dmp

Download
memory/2588-0-0x0000000000000000-mapping.dmp

Download
memory/2588-2-0x0000000004B80000-0x0000000004B97000-memory.dmp

Filesize
92KB

Download
memory/3632-6-0x0000000000000000-mapping.dmp

Download
memory/4652-4-0x0000000000000000-mapping.dmp

Download
memory/5052-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads