Analysis
-
max time kernel
154s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe
Resource
win10v20201028
General
-
Target
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe
-
Size
92KB
-
MD5
9061d0acb0f5df1844e1c8ba5e2e9078
-
SHA1
d608f3c2962dc3d2d5e14e9e9a4f2405452255c7
-
SHA256
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee
-
SHA512
4ce3f1a46029a2c1822b0e087bce2c372195bfcc4040c06a4f22464cfada00c20e41e9430d62a53ee1fb1542a90a310e0d6b672c5ba4224cb1cc0ffbdb24e7c5
Malware Config
Extracted
C:\odt\BA7BC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\Desktop\BA7BC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Users\Admin\Music\BA7BC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\BA7BC-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/4684-1-0x0000000000C40000-0x0000000000C5B000-memory.dmp netwalker_ransomware behavioral2/memory/3588-3-0x00000000051A0000-0x00000000051BB000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DisableOut.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 3588 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba7bc226 = "C:\\Program Files (x86)\\ba7bc226\\ba7bc226.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exedescription pid process target process PID 4684 set thread context of 3588 4684 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe -
Drops file in Program Files directory 17181 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_40x40x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-150.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nextarrow_default.svg explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-150.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-125.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\BA7BC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-down_32.svg explorer.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-200_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.surprise.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\awards_silver.png explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\AppxManifest.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\13h.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-unplated.png explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\BA7BC-Readme.txt explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\BA7BC-Readme.txt explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\bn.pak explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\4.jpg explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\BA7BC-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreBadgeLogo.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5372_24x24x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\pencilbox.3mf explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\shape_wedge.3mf explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\delete_12x12.scale-100.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main-selector.css explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\v8_context_snapshot.bin explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Arrow.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_RTL_Tablet.mp4 explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-100.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png explorer.exe File opened for modification C:\Program Files\7-Zip\7z.sfx explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\appuri.ot explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\TexturedColored_PS.fxo explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4176 vssadmin.exe 2464 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 35541 IoCs
Processes:
explorer.exeexplorer.exepid process 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3588 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe 3008 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exeexplorer.exepid process 4684 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe 3588 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 3588 explorer.exe Token: SeDebugPrivilege 3008 explorer.exe Token: SeBackupPrivilege 4024 vssvc.exe Token: SeRestorePrivilege 4024 vssvc.exe Token: SeAuditPrivilege 4024 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exeexplorer.exeexplorer.exedescription pid process target process PID 4684 wrote to memory of 3588 4684 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 4684 wrote to memory of 3588 4684 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 4684 wrote to memory of 3588 4684 e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe explorer.exe PID 3588 wrote to memory of 4176 3588 explorer.exe vssadmin.exe PID 3588 wrote to memory of 4176 3588 explorer.exe vssadmin.exe PID 3588 wrote to memory of 3008 3588 explorer.exe explorer.exe PID 3588 wrote to memory of 3008 3588 explorer.exe explorer.exe PID 3588 wrote to memory of 3008 3588 explorer.exe explorer.exe PID 3008 wrote to memory of 2464 3008 explorer.exe vssadmin.exe PID 3008 wrote to memory of 2464 3008 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe"C:\Users\Admin\AppData\Local\Temp\e01691e3b7d9d1c6de7e0ef902bf609543cdf084e600fd0a3833deaa501464ee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2464-5-0x0000000000000000-mapping.dmp
-
memory/3008-4-0x0000000000000000-mapping.dmp
-
memory/3588-0-0x0000000000000000-mapping.dmp
-
memory/3588-3-0x00000000051A0000-0x00000000051BB000-memory.dmpFilesize
108KB
-
memory/4176-2-0x0000000000000000-mapping.dmp
-
memory/4684-1-0x0000000000C40000-0x0000000000C5B000-memory.dmpFilesize
108KB