Analysis
-
max time kernel
1800s -
max time network
1800s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
27-10-2021 09:06
Static task
static1
Behavioral task
behavioral1
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win11
Behavioral task
behavioral3
Sample
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Resource
win10-en-20211014
General
-
Target
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe
Malware Config
Extracted
C:\Users\Admin\Desktop\7C5FC-Readme.txt
netwalker
knoocknoo@cock.li
eeeooppaaaxxx@tuta.io
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral1/memory/864-59-0x0000000000080000-0x000000000009B000-memory.dmp netwalker_ransomware behavioral1/memory/324-64-0x0000000000080000-0x000000000009B000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 864 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c5fc86d = "C:\\Program Files (x86)\\7c5fc86d\\7c5fc86d.exe" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exedescription pid process target process PID 1608 set thread context of 864 1608 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 864 set thread context of 324 864 explorer.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core.jar explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE.HXS explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01058_.WMF explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00646_.WMF explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF explorer.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14833_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apothecary.eftx explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoBeta.png explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielResume.Dotx explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF explorer.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\7C5FC-Readme.txt explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN98.POC explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1476 vssadmin.exe 6732 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exeexplorer.exepid process 864 explorer.exe 864 explorer.exe 864 explorer.exe 864 explorer.exe 864 explorer.exe 864 explorer.exe 864 explorer.exe 864 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe 324 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exepid process 1608 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe 864 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
explorer.exevssvc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 324 explorer.exe Token: SeBackupPrivilege 1088 vssvc.exe Token: SeRestorePrivilege 1088 vssvc.exe Token: SeAuditPrivilege 1088 vssvc.exe Token: SeDebugPrivilege 864 explorer.exe Token: SeImpersonatePrivilege 864 explorer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exeexplorer.exeexplorer.exedescription pid process target process PID 1608 wrote to memory of 864 1608 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 1608 wrote to memory of 864 1608 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 1608 wrote to memory of 864 1608 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 1608 wrote to memory of 864 1608 de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe explorer.exe PID 864 wrote to memory of 324 864 explorer.exe explorer.exe PID 864 wrote to memory of 324 864 explorer.exe explorer.exe PID 864 wrote to memory of 324 864 explorer.exe explorer.exe PID 864 wrote to memory of 324 864 explorer.exe explorer.exe PID 324 wrote to memory of 1476 324 explorer.exe vssadmin.exe PID 324 wrote to memory of 1476 324 explorer.exe vssadmin.exe PID 324 wrote to memory of 1476 324 explorer.exe vssadmin.exe PID 324 wrote to memory of 1476 324 explorer.exe vssadmin.exe PID 864 wrote to memory of 5908 864 explorer.exe notepad.exe PID 864 wrote to memory of 5908 864 explorer.exe notepad.exe PID 864 wrote to memory of 5908 864 explorer.exe notepad.exe PID 864 wrote to memory of 5908 864 explorer.exe notepad.exe PID 864 wrote to memory of 6732 864 explorer.exe vssadmin.exe PID 864 wrote to memory of 6732 864 explorer.exe vssadmin.exe PID 864 wrote to memory of 6732 864 explorer.exe vssadmin.exe PID 864 wrote to memory of 6732 864 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe"C:\Users\Admin\AppData\Local\Temp\de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\7C5FC-Readme.txt"3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\7C5FC-Readme.txtMD5
c88514da33d754880025384233b2f590
SHA1b939983782376c65fa429707cb9d0ea4fc7432cb
SHA25678bde8b81f809f34c546937a8138c1657a3a74ce83a39e4a41eef4c75a8315f3
SHA512a9322a115eef87d19fda2d62c674a72d9520ea3ca5c1da50b4de20dedf7def5919469ebaaa9e16594fbe3c1e0692dd99533ec18ef686faadc2826b406e3a98ca
-
memory/324-60-0x0000000000000000-mapping.dmp
-
memory/324-64-0x0000000000080000-0x000000000009B000-memory.dmpFilesize
108KB
-
memory/864-56-0x0000000000000000-mapping.dmp
-
memory/864-58-0x0000000075481000-0x0000000075483000-memory.dmpFilesize
8KB
-
memory/864-59-0x0000000000080000-0x000000000009B000-memory.dmpFilesize
108KB
-
memory/1476-63-0x0000000000000000-mapping.dmp
-
memory/1608-55-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/5908-65-0x0000000000000000-mapping.dmp
-
memory/6732-68-0x0000000000000000-mapping.dmp