4a8e4c9289132e7d3ac9172179464c4c8038079ad9ff7205da81c6af9d1e2354

General

Target

NetwalkerNEW.exe
Size

69KB
MD5

e9ca5e3e3e381d7f13f20f9ef7b2cd48
SHA1

89e45b950d550f140bfbee81e709d53632e55af2
SHA256

4a8e4c9289132e7d3ac9172179464c4c8038079ad9ff7205da81c6af9d1e2354
SHA512

ff301d34795ac651d020b8cd7e6626735c0b1ab48800cf957894ab775f5594cb2abe79746e1dc0e4288e7f156bab0dcf582fe9d8724b3ddee6154ea8c43ae59e

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\8DED4D-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Users\Admin\AppData\Roaming\8DED4D-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Microsoft Office\root\vreg\8DED4D-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\8DED4D-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\8DED4D-Readme.txt

Ransom Note

Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}Hello, O2MICRO. Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8ded4d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- *** We have downloaded your documents, databases, documents of your customers, correspondence. We are ready to put everything in public access. Contact us in chat. *** -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8ded4d: qPaXFMj4TxaDEKgGaBrVHg6gAF0QYn/qU4n8j8hzvMm/MrAnXi cxUlQQX3AfecD21w7T7U1ivcpB0C4at4wIYBNemDwclyEuEXt0 VI+fwcVsq1hqXxmaD4R2Uh5PpUWC1yBoYfRMKVhQBF7TnFUTM4 Nql97xn1cfujdndofKy0K/OjLamweey7uL9oo5oAjIjCNhMRP5 SZzhagxG3tnwAZdq+y63Eg4vn7xPaf4TuWUIYVQQjyLkThk6su T7b1RvEr/zXMGgPqPVoDOoVFYGkAfnp5Te/MNiNg==}

URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

NetwalkerNEW.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OutBlock.raw => C:\Users\Admin\Pictures\OutBlock.raw.8ded4d	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\ResizeEnable.raw => C:\Users\Admin\Pictures\ResizeEnable.raw.8ded4d	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\SetGet.crw => C:\Users\Admin\Pictures\SetGet.crw.8ded4d	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\EditResolve.tif => C:\Users\Admin\Pictures\EditResolve.tif.8ded4d	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\OptimizeWatch.crw => C:\Users\Admin\Pictures\OptimizeWatch.crw.8ded4d	NetwalkerNEW.exe
File renamed	C:\Users\Admin\Pictures\InitializeRequest.crw => C:\Users\Admin\Pictures\InitializeRequest.crw.8ded4d	NetwalkerNEW.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

NetwalkerNEW.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-125.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_pt_BR.properties	NetwalkerNEW.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\8DED4D-Readme.txt	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\SelectAll.scale-100.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sand.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4627_32x32x32.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-125.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-250.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_TR-TR.respack	NetwalkerNEW.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\server\8DED4D-Readme.txt	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\ConvertPS_BGRAtoY.cso	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\la_16x11.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\_Resources\6.rsrc	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7296_40x40x32.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\OfflineMapsWide.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-100.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png	NetwalkerNEW.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\8DED4D-Readme.txt	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10393_36x36x32.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-16.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-32_altform-unplated_contrast-white.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\surprised.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\autumn.jpg	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13d.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-150.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\PlayStore_icon.svg	NetwalkerNEW.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\8DED4D-Readme.txt	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_20x20x32.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-400.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-200.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml	NetwalkerNEW.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\8DED4D-Readme.txt	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigEar.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mk_60x42.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pe_16x11.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png	NetwalkerNEW.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll	NetwalkerNEW.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\8DED4D-Readme.txt	NetwalkerNEW.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3672 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1052 taskkill.exe

pid	process
3672	vssadmin.exe

pid	process
1052	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NetwalkerNEW.exe

pid	process
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe
4808	NetwalkerNEW.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

NetwalkerNEW.exevssvc.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4808	NetwalkerNEW.exe
Token: SeImpersonatePrivilege	4808	NetwalkerNEW.exe
Token: SeBackupPrivilege	1184	vssvc.exe
Token: SeRestorePrivilege	1184	vssvc.exe
Token: SeAuditPrivilege	1184	vssvc.exe
Token: SeDebugPrivilege	1052	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

NetwalkerNEW.execmd.exe

description	pid	process	target process
PID 4808 wrote to memory of 3672	4808	NetwalkerNEW.exe	vssadmin.exe
PID 4808 wrote to memory of 3672	4808	NetwalkerNEW.exe	vssadmin.exe
PID 4808 wrote to memory of 4840	4808	NetwalkerNEW.exe	notepad.exe
PID 4808 wrote to memory of 4840	4808	NetwalkerNEW.exe	notepad.exe
PID 4808 wrote to memory of 4840	4808	NetwalkerNEW.exe	notepad.exe
PID 4808 wrote to memory of 6336	4808	NetwalkerNEW.exe	cmd.exe
PID 4808 wrote to memory of 6336	4808	NetwalkerNEW.exe	cmd.exe
PID 4808 wrote to memory of 6336	4808	NetwalkerNEW.exe	cmd.exe
PID 6336 wrote to memory of 1052	6336	cmd.exe	taskkill.exe
PID 6336 wrote to memory of 1052	6336	cmd.exe	taskkill.exe
PID 6336 wrote to memory of 1052	6336	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\NetwalkerNEW.exe
"C:\Users\Admin\AppData\Local\Temp\NetwalkerNEW.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3672

C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\8DED4D-Readme.txt"
2⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\F0BE.tmp.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:6336

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4808
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\8DED4D-Readme.txt
1⤵
PID:1744

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F0BE.tmp.bat
MD5
f22f8683846dcc8fc5ad0728f250d2d7

SHA1
830cca3ae4d04f836d2db0bdbb49fa6241b01b3a

SHA256
8f8a3a96353281387c8d71ce681618c2589d23480116ba62086aa3f82cec1728

SHA512
3a43719af8629b2207e8a4954cfbdf71de8262b7fa0cadc1ad45c393344e052e23158590e4b6657f0e0d64258fc615173e86de664c50793ab221ec3b7089194c

Download Submit
C:\Users\Admin\Desktop\8DED4D-Readme.txt
MD5
703d61dd541cf5925d0fc15febf5fba0

SHA1
19bfdea510e94a9befc6f69cd53c35ef65312cbc

SHA256
42a8490366db4cf968d3c26a95c86c141a45974108ffaf9323d7b8004c6480d5

SHA512
7f78437b4a3ae8f9b2dda595c3df606ab8833dc560f9d92a0d03b240068d7760082fb92f184c2911f7b078c59f0120909d3d2f626f75701baee770b2f01d65ae

Download Submit
C:\Users\Admin\Desktop\8DED4D-Readme.txt
MD5
703d61dd541cf5925d0fc15febf5fba0

SHA1
19bfdea510e94a9befc6f69cd53c35ef65312cbc

SHA256
42a8490366db4cf968d3c26a95c86c141a45974108ffaf9323d7b8004c6480d5

SHA512
7f78437b4a3ae8f9b2dda595c3df606ab8833dc560f9d92a0d03b240068d7760082fb92f184c2911f7b078c59f0120909d3d2f626f75701baee770b2f01d65ae

Download Submit
memory/1052-7-0x0000000000000000-mapping.dmp

Download
memory/3672-2-0x0000000000000000-mapping.dmp

Download
memory/4840-4-0x0000000000000000-mapping.dmp

Download
memory/6336-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads