4a8e4c9289132e7d3ac9172179464c4c8038079ad9ff7205da81c6af9d1e2354

General

Target

NetwalkerNEW.exe
Size

69KB
MD5

e9ca5e3e3e381d7f13f20f9ef7b2cd48
SHA1

89e45b950d550f140bfbee81e709d53632e55af2
SHA256

4a8e4c9289132e7d3ac9172179464c4c8038079ad9ff7205da81c6af9d1e2354
SHA512

ff301d34795ac651d020b8cd7e6626735c0b1ab48800cf957894ab775f5594cb2abe79746e1dc0e4288e7f156bab0dcf582fe9d8724b3ddee6154ea8c43ae59e

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\163D19-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\PROOF\163D19-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Stationery\1033\163D19-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .163d19 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_163d19: qa85E+Q9ybJPBsLiV2HnvDCGE5VLUpQ8kDGPZ8f78TrUWYIXCz BdTs+7mm36Lvr3ynxuw1tqxYIrybKa3rwvRx0bwZnHg1hTEXt0 VMg4yx/5Erw+qj7VXAui8mDqUOaOXPouIRPNM7x1vfkACDcdZW JM8AUT1tijYA8r+z81D3lduPCuN/ROyzkcbUFuPFiQ8eGXdaf3 S4FyAUrkQlDslmlYplhTDEczsKeV4vu6VHboCMNwDQ8ZtDm6gt oucqSVQ5ji+IEyYKsEtaASdcc9UQyAO0n8qPos7w==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

NetwalkerNEW.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ImportUnregister.tif => C:\Users\Admin\Pictures\ImportUnregister.tif.163d19	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\SetStep.crw => C:\Users\Admin\Pictures\SetStep.crw.163d19	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\MergeApprove.tif => C:\Users\Admin\Pictures\MergeApprove.tif.163d19	NetwalkerNEW.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

6232 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
6232	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

NetwalkerNEW.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00298_.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre7\lib\currency.data	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Prague	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14594_.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif	NetwalkerNEW.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH2.POC	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	NetwalkerNEW.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\163D19-Readme.txt	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR3F.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF	NetwalkerNEW.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1988 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2388 taskkill.exe

pid	process
1988	vssadmin.exe

pid	process
2388	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NetwalkerNEW.exe

pid	process
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe
384	NetwalkerNEW.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

NetwalkerNEW.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	384	NetwalkerNEW.exe
Token: SeImpersonatePrivilege	384	NetwalkerNEW.exe
Token: SeBackupPrivilege	7892	vssvc.exe
Token: SeRestorePrivilege	7892	vssvc.exe
Token: SeAuditPrivilege	7892	vssvc.exe
Token: SeDebugPrivilege	2388	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

NetwalkerNEW.execmd.exe

description	pid	process	target process
PID 384 wrote to memory of 1988	384	NetwalkerNEW.exe	vssadmin.exe
PID 384 wrote to memory of 1988	384	NetwalkerNEW.exe	vssadmin.exe
PID 384 wrote to memory of 1988	384	NetwalkerNEW.exe	vssadmin.exe
PID 384 wrote to memory of 1988	384	NetwalkerNEW.exe	vssadmin.exe
PID 384 wrote to memory of 4548	384	NetwalkerNEW.exe	notepad.exe
PID 384 wrote to memory of 4548	384	NetwalkerNEW.exe	notepad.exe
PID 384 wrote to memory of 4548	384	NetwalkerNEW.exe	notepad.exe
PID 384 wrote to memory of 4548	384	NetwalkerNEW.exe	notepad.exe
PID 384 wrote to memory of 6232	384	NetwalkerNEW.exe	cmd.exe
PID 384 wrote to memory of 6232	384	NetwalkerNEW.exe	cmd.exe
PID 384 wrote to memory of 6232	384	NetwalkerNEW.exe	cmd.exe
PID 384 wrote to memory of 6232	384	NetwalkerNEW.exe	cmd.exe
PID 6232 wrote to memory of 2388	6232	cmd.exe	taskkill.exe
PID 6232 wrote to memory of 2388	6232	cmd.exe	taskkill.exe
PID 6232 wrote to memory of 2388	6232	cmd.exe	taskkill.exe
PID 6232 wrote to memory of 2388	6232	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\NetwalkerNEW.exe
"C:\Users\Admin\AppData\Local\Temp\NetwalkerNEW.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1988

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\163D19-Readme.txt"
2⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\27AC.tmp.bat"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:6232

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 384
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7892

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27AC.tmp.bat
MD5
096e44b3ed2b481fc2f722cd4cafa850

SHA1
fdf5ea9e0cc81a040e736f2264d0965de4c86f4f

SHA256
c620d26256891a35fbb5f02fa17f502fc84a9cd072373d3b467f6bf9f83d184c

SHA512
253356bc7d4041572065eb725ff9591ca62663e7db387fc140d6e3e5df49acea27a96da976d9caf8c518b203236065416239143fb285177202ef18affd5c09bc

Download Submit
C:\Users\Admin\Desktop\163D19-Readme.txt
MD5
8e3baf6122fc79fa800be6bc46a985af

SHA1
24c2daeee0ae318a335787a56f55a0ac97dc9229

SHA256
6c0d8d030ae2e7c050ae6caee2501933968d07f12cda27c2721644125d50bea9

SHA512
0425dd435aa506dab2a440536822c28f328f98ab476ee68cace1069f739d32cf4d7db5c2c1b10feabc6c582525b31802e383c540691519dae88f21eaf3108481

Download Submit
memory/384-2-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1988-3-0x0000000000000000-mapping.dmp

Download
memory/2388-8-0x0000000000000000-mapping.dmp

Download
memory/4548-4-0x0000000000000000-mapping.dmp

Download
memory/6232-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads