Analysis
-
max time kernel
155s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe
Resource
win10v20201028
General
-
Target
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe
-
Size
92KB
-
MD5
9061d0acb0f5df1844e1c8ba5e2e9078
-
SHA1
d608f3c2962dc3d2d5e14e9e9a4f2405452255c7
-
SHA256
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee
-
SHA512
4ce3f1a46029a2c1822b0e087bce2c372195bfcc4040c06a4f22464cfada00c20e41e9430d62a53ee1fb1542a90a310e0d6b672c5ba4224cb1cc0ffbdb24e7c5
Malware Config
Extracted
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\5DEA0-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\5DEA0-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files\Java\jdk1.7.0_80\jre\lib\5DEA0-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\5DEA0-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1628-1-0x0000000000180000-0x000000000019B000-memory.dmp netwalker_ransomware behavioral1/memory/2020-4-0x0000000000450000-0x000000000046B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MoveFind.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\WatchUninstall.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2020 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5dea063f = "C:\\Program Files (x86)\\5dea063f\\5dea063f.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exeexplorer.exedescription pid process target process PID 1628 set thread context of 2020 1628 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 2020 set thread context of 1244 2020 explorer.exe explorer.exe -
Drops file in Program Files directory 6829 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Executive.eftx explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\security\local_policy.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\5DEA0-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\5DEA0-Readme.txt explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\5DEA0-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\security\javafx.policy explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4 explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\5DEA0-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230558.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_K_COL.HXK explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.DPV explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR25F.GIF explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1220 vssadmin.exe 1988 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 20942 IoCs
Processes:
explorer.exeexplorer.exepid process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe 1244 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exeexplorer.exepid process 1628 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe 2020 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 2020 explorer.exe Token: SeDebugPrivilege 1244 explorer.exe Token: SeBackupPrivilege 928 vssvc.exe Token: SeRestorePrivilege 928 vssvc.exe Token: SeAuditPrivilege 928 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exeexplorer.exeexplorer.exedescription pid process target process PID 1628 wrote to memory of 2020 1628 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 1628 wrote to memory of 2020 1628 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 1628 wrote to memory of 2020 1628 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 1628 wrote to memory of 2020 1628 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 2020 wrote to memory of 1220 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1220 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1220 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1220 2020 explorer.exe vssadmin.exe PID 2020 wrote to memory of 1244 2020 explorer.exe explorer.exe PID 2020 wrote to memory of 1244 2020 explorer.exe explorer.exe PID 2020 wrote to memory of 1244 2020 explorer.exe explorer.exe PID 2020 wrote to memory of 1244 2020 explorer.exe explorer.exe PID 1244 wrote to memory of 1988 1244 explorer.exe vssadmin.exe PID 1244 wrote to memory of 1988 1244 explorer.exe vssadmin.exe PID 1244 wrote to memory of 1988 1244 explorer.exe vssadmin.exe PID 1244 wrote to memory of 1988 1244 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe"C:\Users\Admin\AppData\Local\Temp\e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1220-2-0x0000000000000000-mapping.dmp
-
memory/1244-3-0x0000000000000000-mapping.dmp
-
memory/1628-1-0x0000000000180000-0x000000000019B000-memory.dmpFilesize
108KB
-
memory/1988-5-0x0000000000000000-mapping.dmp
-
memory/2020-0-0x0000000000000000-mapping.dmp
-
memory/2020-4-0x0000000000450000-0x000000000046B000-memory.dmpFilesize
108KB