Analysis
-
max time kernel
62s -
max time network
32s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-03-2021 12:22
Static task
static1
Behavioral task
behavioral1
Sample
NetwalkerNEW.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
NetwalkerNEW.exe
Resource
win10v20201028
General
-
Target
NetwalkerNEW.exe
-
Size
69KB
-
MD5
e9ca5e3e3e381d7f13f20f9ef7b2cd48
-
SHA1
89e45b950d550f140bfbee81e709d53632e55af2
-
SHA256
4a8e4c9289132e7d3ac9172179464c4c8038079ad9ff7205da81c6af9d1e2354
-
SHA512
ff301d34795ac651d020b8cd7e6626735c0b1ab48800cf957894ab775f5594cb2abe79746e1dc0e4288e7f156bab0dcf582fe9d8724b3ddee6154ea8c43ae59e
Malware Config
Extracted
C:\ProgramData\Microsoft\User Account Pictures\163D19-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Microsoft Office\Office14\PROOF\163D19-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Extracted
C:\Program Files (x86)\Microsoft Office\Stationery\1033\163D19-Readme.txt
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
NetwalkerNEW.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportUnregister.tif => C:\Users\Admin\Pictures\ImportUnregister.tif.163d19 NetwalkerNEW.exe File renamed C:\Users\Admin\Pictures\SetStep.crw => C:\Users\Admin\Pictures\SetStep.crw.163d19 NetwalkerNEW.exe File renamed C:\Users\Admin\Pictures\MergeApprove.tif => C:\Users\Admin\Pictures\MergeApprove.tif.163d19 NetwalkerNEW.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 6232 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
NetwalkerNEW.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jre7\lib\content-types.properties NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00298_.WMF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jre7\lib\currency.data NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Prague NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif NetwalkerNEW.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH2.POC NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura NetwalkerNEW.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\163D19-Readme.txt NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR3F.GIF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML NetwalkerNEW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml NetwalkerNEW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF NetwalkerNEW.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1988 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2388 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
NetwalkerNEW.exepid process 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe 384 NetwalkerNEW.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
NetwalkerNEW.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 384 NetwalkerNEW.exe Token: SeImpersonatePrivilege 384 NetwalkerNEW.exe Token: SeBackupPrivilege 7892 vssvc.exe Token: SeRestorePrivilege 7892 vssvc.exe Token: SeAuditPrivilege 7892 vssvc.exe Token: SeDebugPrivilege 2388 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
NetwalkerNEW.execmd.exedescription pid process target process PID 384 wrote to memory of 1988 384 NetwalkerNEW.exe vssadmin.exe PID 384 wrote to memory of 1988 384 NetwalkerNEW.exe vssadmin.exe PID 384 wrote to memory of 1988 384 NetwalkerNEW.exe vssadmin.exe PID 384 wrote to memory of 1988 384 NetwalkerNEW.exe vssadmin.exe PID 384 wrote to memory of 4548 384 NetwalkerNEW.exe notepad.exe PID 384 wrote to memory of 4548 384 NetwalkerNEW.exe notepad.exe PID 384 wrote to memory of 4548 384 NetwalkerNEW.exe notepad.exe PID 384 wrote to memory of 4548 384 NetwalkerNEW.exe notepad.exe PID 384 wrote to memory of 6232 384 NetwalkerNEW.exe cmd.exe PID 384 wrote to memory of 6232 384 NetwalkerNEW.exe cmd.exe PID 384 wrote to memory of 6232 384 NetwalkerNEW.exe cmd.exe PID 384 wrote to memory of 6232 384 NetwalkerNEW.exe cmd.exe PID 6232 wrote to memory of 2388 6232 cmd.exe taskkill.exe PID 6232 wrote to memory of 2388 6232 cmd.exe taskkill.exe PID 6232 wrote to memory of 2388 6232 cmd.exe taskkill.exe PID 6232 wrote to memory of 2388 6232 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NetwalkerNEW.exe"C:\Users\Admin\AppData\Local\Temp\NetwalkerNEW.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\163D19-Readme.txt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\27AC.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 3843⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\27AC.tmp.batMD5
096e44b3ed2b481fc2f722cd4cafa850
SHA1fdf5ea9e0cc81a040e736f2264d0965de4c86f4f
SHA256c620d26256891a35fbb5f02fa17f502fc84a9cd072373d3b467f6bf9f83d184c
SHA512253356bc7d4041572065eb725ff9591ca62663e7db387fc140d6e3e5df49acea27a96da976d9caf8c518b203236065416239143fb285177202ef18affd5c09bc
-
C:\Users\Admin\Desktop\163D19-Readme.txtMD5
8e3baf6122fc79fa800be6bc46a985af
SHA124c2daeee0ae318a335787a56f55a0ac97dc9229
SHA2566c0d8d030ae2e7c050ae6caee2501933968d07f12cda27c2721644125d50bea9
SHA5120425dd435aa506dab2a440536822c28f328f98ab476ee68cace1069f739d32cf4d7db5c2c1b10feabc6c582525b31802e383c540691519dae88f21eaf3108481
-
memory/384-2-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1988-3-0x0000000000000000-mapping.dmp
-
memory/2388-8-0x0000000000000000-mapping.dmp
-
memory/4548-4-0x0000000000000000-mapping.dmp
-
memory/6232-6-0x0000000000000000-mapping.dmp