Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
Resource
win10v20201028
General
-
Target
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe
-
Size
76KB
-
MD5
604e4eeb6966e6285d9cef769feca7ca
-
SHA1
0c21972f5299b944d808e7572249a97ad6312f0e
-
SHA256
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c
-
SHA512
5d725b5f3384cb2adb8a673484cf4651ccf095a13e003a9fad6a3e913b9b49e23b5019c0417ca8c34d8824da970cfea1aee04a3e2a9b14d23e7a2cef38a2adf4
Malware Config
Extracted
C:\Users\Admin\Downloads\39FD23-Readme.txt
1.kokbiglock@cock.li
2.koktiktok@tuta.io
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/644-1-0x0000000001030000-0x0000000001047000-memory.dmp netwalker_ransomware behavioral2/memory/2588-2-0x0000000004B80000-0x0000000004B97000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindAssert.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\MergeRequest.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2588 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39fd232111 = "C:\\Program Files (x86)\\39fd232111\\39fd232111.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exedescription pid process target process PID 644 set thread context of 2588 644 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
explorer.exedescription ioc process File created C:\Program Files (x86)\39fd232111\39fd232111.exe explorer.exe File opened for modification C:\Program Files (x86)\39fd232111\39fd232111.exe explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4652 vssadmin.exe 956 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 7382 IoCs
Processes:
explorer.exeexplorer.exepid process 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe 580 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exepid process 644 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe 2588 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 2588 explorer.exe Token: SeImpersonatePrivilege 2588 explorer.exe Token: SeDebugPrivilege 580 explorer.exe Token: SeBackupPrivilege 4172 vssvc.exe Token: SeRestorePrivilege 4172 vssvc.exe Token: SeAuditPrivilege 4172 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exeexplorer.exeexplorer.exedescription pid process target process PID 644 wrote to memory of 2588 644 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 644 wrote to memory of 2588 644 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 644 wrote to memory of 2588 644 d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe explorer.exe PID 2588 wrote to memory of 580 2588 explorer.exe explorer.exe PID 2588 wrote to memory of 580 2588 explorer.exe explorer.exe PID 2588 wrote to memory of 580 2588 explorer.exe explorer.exe PID 580 wrote to memory of 4652 580 explorer.exe vssadmin.exe PID 580 wrote to memory of 4652 580 explorer.exe vssadmin.exe PID 2588 wrote to memory of 5052 2588 explorer.exe notepad.exe PID 2588 wrote to memory of 5052 2588 explorer.exe notepad.exe PID 2588 wrote to memory of 5052 2588 explorer.exe notepad.exe PID 2588 wrote to memory of 3632 2588 explorer.exe notepad.exe PID 2588 wrote to memory of 3632 2588 explorer.exe notepad.exe PID 2588 wrote to memory of 3632 2588 explorer.exe notepad.exe PID 2588 wrote to memory of 956 2588 explorer.exe vssadmin.exe PID 2588 wrote to memory of 956 2588 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe"C:\Users\Admin\AppData\Local\Temp\d5c106719e9c8878795899bede78505796659b1b347fe9374d8b2061fcc6a84c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\39FD23-Readme.txt3⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\39FD23-Readme.txt3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\39FD23-Readme.txtMD5
143bec45c32565adb5386a5d3f8aa3bd
SHA145934a90b1fa251b4c9c69e2f6249d80ef3cfddd
SHA256dc505467a49b26d32462cfacf7651ed0d3e97d55a61513657b2ff060df2d4bb9
SHA512bcc2c32f4427c2779ac1bb49d32176cda8bfe3fd6ba0ef4907185376b4c63dfbe1bbc849ad1781106cd921c43bffe3c7ab05bf8118158e53818620c731dfa704
-
memory/580-3-0x0000000000000000-mapping.dmp
-
memory/644-1-0x0000000001030000-0x0000000001047000-memory.dmpFilesize
92KB
-
memory/956-7-0x0000000000000000-mapping.dmp
-
memory/2588-0-0x0000000000000000-mapping.dmp
-
memory/2588-2-0x0000000004B80000-0x0000000004B97000-memory.dmpFilesize
92KB
-
memory/3632-6-0x0000000000000000-mapping.dmp
-
memory/4652-4-0x0000000000000000-mapping.dmp
-
memory/5052-5-0x0000000000000000-mapping.dmp