Overview

overview

10

Static

static

129a0f0f4d...8d.ps1

windows7_x64

8

129a0f0f4d...8d.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1

  • Size

    5.1MB

  • MD5

    25c0fde038e01fe84fd3df69c99e60a1

  • SHA1

    147c1adc615daa93e84a5a9210ccc14ae86f6c55

  • SHA256

    129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d

  • SHA512

    8d666575c6570f5b128faf30d30f506259eda1907829bcf449c2407ea3aa943de46933bb3822b5fcddb25648ad8cc6f4d2077b29e82cdb4a6f423a5e1acc9fae

Score
10/10
netwalkerransomware

Malware Config

Extracted

Path

C:\8E6C12-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8e6c12 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8e6c12: RNPDIRv8ksysNtzHv3F1NRUfRycGsxZlasJXbDpcJlwZRDzjwz qHcyLAcNqlLVo26ZKz1iNz90pl/9r1RfQjW3klWO+4NnYxTAuG pJ1h+0epWBTxBpneFz+nnGszK6FrmsbBcz2qdhshHN6q0KUvXE rKNblogbk04OyjXxrOB9fbpXseDQxZ+zmwA7VPzwgblkadrnKt VqNHcOrEIi3OAgfRSM5NMja9SIFeCNPF+PR1X2BGjGmrVdEmUZ gCeNSI+qUCfJELAkwbACqGd5neD0GrET1wT5YXww==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m4yn2oqq\m4yn2oqq.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E55.tmp" "c:\Users\Admin\AppData\Local\Temp\m4yn2oqq\CSC92C959784BA4C80A76B7354A119FA15.TMP"
          4⤵
            PID:3708
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0sqxbie\a0sqxbie.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3888
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A7A.tmp" "c:\Users\Admin\AppData\Local\Temp\a0sqxbie\CSC28EF04F382D247F5A5BE479DE4BF325F.TMP"
            4⤵
              PID:2564
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:6744

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES5E55.tmp
        MD5

        2d0069d073bbc5e6a51b3947c16122dc

        SHA1

        670a9b7fcdb1e4462eab98c4a500a87dd3925c8f

        SHA256

        b9b4556d7d1257412f7c28c2f65b0788e2a26b39ddd829c8e852b27b462eebc6

        SHA512

        bb1492801cdcf5f9cab14e62251f1840b7d3011afc4a3567e82dd2e7bf3e9780cc37d3c3c0f869e8255fa47ead745b6f84eef1a7965ccf1290ddbca60cb1ff5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES6A7A.tmp
        MD5

        737743ac39d5069695805a2f77100481

        SHA1

        394624133f6f733e310461a09ed7da191aa7cef8

        SHA256

        c239c907d9b4d81eb4a297423af691ebeadd754d6a998996ff78d99a18e99b58

        SHA512

        02c3b11417dc8261bb6db2c2707d401aaafbb919dba9801a18161648a95820e7c8c6891807abe5158510d533a58818d250ac352bf891e649f009384bb39ce723

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\a0sqxbie\a0sqxbie.dll
        MD5

        667b46893af5774e4e068f4930ba5c51

        SHA1

        65d568dfaff7610a693af71f25fdfa11bcd426fe

        SHA256

        da17d2cfe9532cc0cb87f6660ccec9a41fceea65dd38cf7883a5ef45e0066931

        SHA512

        d379786357748314fa427a8e2a3153eecca33d7d4276816bba3d30c89dec3aa03dbcaacf690e5e482b4c16a7241d7647c32870a18110325d9b4c429e670bddda

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\m4yn2oqq\m4yn2oqq.dll
        MD5

        4564d4623e42adb1d61b9a35406314ff

        SHA1

        e0f4321d7d89421c7a84b97bf6f8c5b7f7426132

        SHA256

        64d71fb7996f42058e4abc5702f7aa2f1aebf733a8f9338be1fac1a0221f7a19

        SHA512

        2698183f5bdfe835c09ede0c5952a6e329e14e18d18bb4e20e39e11ea1f23d242d03416cc4795346444987cb668059648931a0c8ade4adfaa6988a95568bcb9a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\a0sqxbie\CSC28EF04F382D247F5A5BE479DE4BF325F.TMP
        MD5

        ff078dbbf7b081c977f00fb0e7b626d4

        SHA1

        83546185e9414db3490c60165978a48cfd068433

        SHA256

        30ff4b2ba8e1adb219f4d93756baab9de5d2ea29c82a44b2213261aef075440a

        SHA512

        22de9c9ecd8b0c44740b35e693b0865c951c382ed8496219ea172acbf7115b0c822fc0a06bc6b8a0d717adb6715287b75fe3214541bfd336b552e91d4a924fcd

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\a0sqxbie\a0sqxbie.0.cs
        MD5

        344f23b4667f7d312483d88784135df6

        SHA1

        718411c0a15618ab922439236f05795cc3698193

        SHA256

        c5b8181e96ef7e95b279a0693b8fc0e9ff4d7a1da54de03cdc81b1974554c840

        SHA512

        d82e753ee42564ed0db88c48368ad0eddcc71782233d58778aeeca9e65ecfb95043352f45f17650060ea6abc365ed307a5ff722dbbe466df8e221f007bd5af86

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\a0sqxbie\a0sqxbie.cmdline
        MD5

        cef3fec247d771242745eee5bc5f46cc

        SHA1

        2abf06248dd966f787e26c51fcc535e16ba8fb57

        SHA256

        db31b928b9fb1d2eb7a6bc4c64de91e9d9cc4d6c8f8cd191e42ff28889ce2246

        SHA512

        a3c886ea4c40c3707f5e97262577d9af4859aec39091b0f215710f9f9c8a1fc0e04e53960e6ef4a3cb91a949929c959ff3685a63061d1d97f147e8a69577ad8d

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\m4yn2oqq\CSC92C959784BA4C80A76B7354A119FA15.TMP
        MD5

        257bf84327fd3c8951c20dbe855051e4

        SHA1

        e54cbc16b318913448929a929568a51dc48d4c98

        SHA256

        c22b9d0aef4476e1c8d7bb8b60a8a81d9e19c7c1ff3a953d3a38407cec37f55c

        SHA512

        dc9c580b443df19dc85bfdf92d816cd9474d09623ecfcf091661587deaad049b8e7a05a50c2743d2ce548ce01e9d419e55e9229668a20096ae432a6191c2c9bb

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\m4yn2oqq\m4yn2oqq.0.cs
        MD5

        66878dde234663689cfa070b8be89ce2

        SHA1

        65452416e6883172001c395292392ce54d1b5610

        SHA256

        f13998b5042ff0f5b6acef75802b38437bc20576fd67d365a0cb1cc49ae9c7fe

        SHA512

        79e2a7bf56cba07da5a4e8d3b33197e867e23fec74b254cd684614db1322da20db79af30b9a1bd37c694d23043378345f2361cb5455a2490ebc2f34177abb0b3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\m4yn2oqq\m4yn2oqq.cmdline
        MD5

        eb6a33339bb4edbc8e45929f52152f35

        SHA1

        5c73a2ff86f18833ced6cc5c6d0175ea0a7827a8

        SHA256

        3b0a608177ea17eda048a570d95c262c18ccce69a0c4487f93c5790ffbb61a89

        SHA512

        c49c814dae32a0972d35f4157b377ea76f6267434966523150e95ae069bebea00dd7b59ebfaafe912942801d48942d6111e1c6ca2714fe393be25e83efc83d36

        Download Submit

      • memory/2424-152-0x0000000000B70000-0x0000000000B8B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/3008-139-0x0000024CA5B86000-0x0000024CA5B88000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3008-134-0x0000024CA5B80000-0x0000024CA5B82000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3008-136-0x0000024CC1840000-0x0000024CC1862000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3008-135-0x0000024CA5B83000-0x0000024CA5B85000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3008-151-0x0000024CA5B88000-0x0000024CA5B89000-memory.dmp

        Filesize

        4KB

        Download