Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:21
Static task
static1
Behavioral task
behavioral1
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win10-en-20210920
General
-
Target
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
-
Size
94KB
-
MD5
993b73d6490bc5a7e23e02210b317247
-
SHA1
6fd314af34409e945504e166eb8cd88127c1070e
-
SHA256
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d
-
SHA512
417f55a066896695ce1b8d998767f706005d3d6f1792f2b86261a235034a6c3bb1deae6920857fbc710d22b833479b2cbeafd92735381f1cc357adcc8a74c55d
Malware Config
Extracted
C:\odt\A2D63-Readme.txt
netwalker
knoocknoo@cock.li
eeeooppaaaxxx@tuta.io
Extracted
C:\Users\Admin\AppData\Roaming\A2D63-Readme.txt
netwalker
knoocknoo@cock.li
eeeooppaaaxxx@tuta.io
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/2264-118-0x0000000000450000-0x000000000046B000-memory.dmp netwalker_ransomware behavioral1/memory/3800-117-0x0000000000540000-0x000000000055B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ReadConnect.tiff explorer.exe File opened for modification C:\Users\Admin\Pictures\FindSuspend.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 3800 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a2d63472 = "C:\\Program Files (x86)\\a2d63472\\a2d63472.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exedescription pid process target process PID 2072 set thread context of 3800 2072 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-200.png explorer.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gn_60x42.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\A2D63-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-48.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\A2D63-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-black.png explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSplashScreen.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-96_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16_altform-unplated.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-125.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\A2D63-Readme.txt explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleSplashScreen.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SegXbox2.ttf explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconEditRichCapture.scale-125.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\star.png explorer.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-400.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7989_20x20x32.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-125.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\ui-strings.js explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mu_16x11.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-loaders.jar explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\166.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\MedTile.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_getconnected.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-fullcolor.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_18.svg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\ui-strings.js explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8041_48x48x32.png explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1428 vssadmin.exe 9992 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeexplorer.exepid process 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 3800 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exepid process 2072 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe 3800 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2264 explorer.exe Token: SeBackupPrivilege 972 vssvc.exe Token: SeRestorePrivilege 972 vssvc.exe Token: SeAuditPrivilege 972 vssvc.exe Token: SeDebugPrivilege 3800 explorer.exe Token: SeImpersonatePrivilege 3800 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exeexplorer.exedescription pid process target process PID 2072 wrote to memory of 3800 2072 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 2072 wrote to memory of 3800 2072 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 2072 wrote to memory of 3800 2072 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 3800 wrote to memory of 2264 3800 explorer.exe explorer.exe PID 3800 wrote to memory of 2264 3800 explorer.exe explorer.exe PID 3800 wrote to memory of 2264 3800 explorer.exe explorer.exe PID 2264 wrote to memory of 1428 2264 explorer.exe vssadmin.exe PID 2264 wrote to memory of 1428 2264 explorer.exe vssadmin.exe PID 3800 wrote to memory of 4220 3800 explorer.exe notepad.exe PID 3800 wrote to memory of 4220 3800 explorer.exe notepad.exe PID 3800 wrote to memory of 4220 3800 explorer.exe notepad.exe PID 3800 wrote to memory of 9992 3800 explorer.exe vssadmin.exe PID 3800 wrote to memory of 9992 3800 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe"C:\Users\Admin\AppData\Local\Temp\de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\A2D63-Readme.txt"3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\A2D63-Readme.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\A2D63-Readme.txtMD5
21023b4f94067b6b71afc6f07554ed12
SHA15717d119f17a52a7a3d5fb6ed515bb9f3f50bf72
SHA2567ca20b2cbb8fe9b73a624871212c285263f0a571e7f639d632029bd727ab4a28
SHA5120e41dfb43abca29505e7c0b2a729ca6c0d909dc2fd2bba3198248985e794f41920f403e78a361e556c9ad9b6516523966801efaa130bf47258319ed10df55f89
-
C:\Users\Admin\Desktop\A2D63-Readme.txtMD5
21023b4f94067b6b71afc6f07554ed12
SHA15717d119f17a52a7a3d5fb6ed515bb9f3f50bf72
SHA2567ca20b2cbb8fe9b73a624871212c285263f0a571e7f639d632029bd727ab4a28
SHA5120e41dfb43abca29505e7c0b2a729ca6c0d909dc2fd2bba3198248985e794f41920f403e78a361e556c9ad9b6516523966801efaa130bf47258319ed10df55f89
-
memory/1428-119-0x0000000000000000-mapping.dmp
-
memory/2264-116-0x0000000000000000-mapping.dmp
-
memory/2264-118-0x0000000000450000-0x000000000046B000-memory.dmpFilesize
108KB
-
memory/3800-115-0x0000000000000000-mapping.dmp
-
memory/3800-117-0x0000000000540000-0x000000000055B000-memory.dmpFilesize
108KB
-
memory/4220-121-0x0000000000000000-mapping.dmp
-
memory/9992-122-0x0000000000000000-mapping.dmp