Analysis
-
max time kernel
158s -
max time network
166s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe
Resource
win10v20201028
General
-
Target
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe
-
Size
91KB
-
MD5
457a4ba6896e15e132cc084cb6cd7a80
-
SHA1
e79fc10dcf685be830578d09cb8ea2894b1d280d
-
SHA256
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d
-
SHA512
115bff1f55a14064e0deae457cfb3bf989f85091972dd30a207fde9f76a7bea19f5c689c2f5d5feccc1ee52d2e3a72dde159b2eb38bdac845d07ac0726d00104
Malware Config
Extracted
C:\ProgramData\Microsoft\User Account Pictures\4F6CA-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\4F6CA-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Extracted
C:\Program Files (x86)\Microsoft Office\Document Themes 14\4F6CA-Readme.txt
netwalker
sevenoneone@cock.li
kavariusing@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/1852-1-0x0000000000070000-0x000000000008B000-memory.dmp netwalker_ransomware behavioral1/memory/1444-4-0x00000000001B0000-0x00000000001CB000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1444 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4f6ca237 = "C:\\Program Files (x86)\\4f6ca237\\4f6ca237.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exeexplorer.exedescription pid process target process PID 1852 set thread context of 1444 1852 573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe explorer.exe PID 1444 set thread context of 2004 1444 explorer.exe explorer.exe -
Drops file in Program Files directory 7472 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\manifest.json explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts.css explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29B.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.XML explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\4F6CA-Readme.txt explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01193_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1036\4F6CA-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216588.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.DPV explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TAIL.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\4F6CA-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF explorer.exe File created C:\Program Files\VideoLAN\VLC\lua\modules\4F6CA-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107500.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195320.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianReport.Dotx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest explorer.exe File opened for modification C:\Program Files\SelectUpdate.m1v explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\fa.pak explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH1.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00438_.WMF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PNCTUATE.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF explorer.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1476 vssadmin.exe 1796 vssadmin.exe 7280 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 16692 IoCs
Processes:
explorer.exeexplorer.exepid process 1444 explorer.exe 1444 explorer.exe 1444 explorer.exe 1444 explorer.exe 1444 explorer.exe 1444 explorer.exe 1444 explorer.exe 1444 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exeexplorer.exepid process 1852 573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe 1444 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 1444 explorer.exe Token: SeDebugPrivilege 2004 explorer.exe Token: SeBackupPrivilege 1788 vssvc.exe Token: SeRestorePrivilege 1788 vssvc.exe Token: SeAuditPrivilege 1788 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exeexplorer.exeexplorer.exedescription pid process target process PID 1852 wrote to memory of 1444 1852 573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe explorer.exe PID 1852 wrote to memory of 1444 1852 573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe explorer.exe PID 1852 wrote to memory of 1444 1852 573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe explorer.exe PID 1852 wrote to memory of 1444 1852 573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe explorer.exe PID 1444 wrote to memory of 1476 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 1476 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 1476 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 1476 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 2004 1444 explorer.exe explorer.exe PID 1444 wrote to memory of 2004 1444 explorer.exe explorer.exe PID 1444 wrote to memory of 2004 1444 explorer.exe explorer.exe PID 1444 wrote to memory of 2004 1444 explorer.exe explorer.exe PID 2004 wrote to memory of 1796 2004 explorer.exe vssadmin.exe PID 2004 wrote to memory of 1796 2004 explorer.exe vssadmin.exe PID 2004 wrote to memory of 1796 2004 explorer.exe vssadmin.exe PID 2004 wrote to memory of 1796 2004 explorer.exe vssadmin.exe PID 1444 wrote to memory of 7244 1444 explorer.exe notepad.exe PID 1444 wrote to memory of 7244 1444 explorer.exe notepad.exe PID 1444 wrote to memory of 7244 1444 explorer.exe notepad.exe PID 1444 wrote to memory of 7244 1444 explorer.exe notepad.exe PID 1444 wrote to memory of 7280 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 7280 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 7280 1444 explorer.exe vssadmin.exe PID 1444 wrote to memory of 7280 1444 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe"C:\Users\Admin\AppData\Local\Temp\573873b7b2fbb390ff21bb4e986f69fa25a1f3eea2c5fe446d46c186ab92257d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\4F6CA-Readme.txt3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\4F6CA-Readme.txtMD5
d42fab76984b6feded489a515487b3d3
SHA113d9e2ae5ee9898148f425214f13832a2b3ddf59
SHA2567d4d054411ea70d42729baf0f9e77c1be54c635d990aee953c2d0266fb4096fb
SHA512953561f1d19b0f25aff9a27bb976ea82930a055a78bd7ec4c4afe3495a2b62325e2ca75e049a227c1bd704e90425128119fd014296658883035f928f5ba61621
-
memory/1444-0-0x0000000000000000-mapping.dmp
-
memory/1444-4-0x00000000001B0000-0x00000000001CB000-memory.dmpFilesize
108KB
-
memory/1476-2-0x0000000000000000-mapping.dmp
-
memory/1796-5-0x0000000000000000-mapping.dmp
-
memory/1852-1-0x0000000000070000-0x000000000008B000-memory.dmpFilesize
108KB
-
memory/2004-3-0x0000000000000000-mapping.dmp
-
memory/7244-6-0x0000000000000000-mapping.dmp
-
memory/7280-8-0x0000000000000000-mapping.dmp