Overview

overview

10

Static

static

10

8f834966a0...0c.exe

windows7_x64

10

8f834966a0...0c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c

  • Size

    76KB

  • Sample

    220201-bvj6nafcc7

  • MD5

    3d6203df53fcaa16d71add5f47bdd060

  • SHA1

    655352e00c7e478c3fed38bc6f407982dec3768d

  • SHA256

    8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c

  • SHA512

    b8b2863b4152348b94fb69e2061db84197e96904b4e4411a19ff6a82aff71f9177cbeb55dca2eb52d35bdc65ee7f8944361b301b1f28d744bbecaab494410ec2

Score
10/10
netwalkerpersistenceransomware

Malware Config

Extracted

Path

C:\D42AB3-Readme.txt

Ransom Note
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion d42ab3. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: [email protected] [email protected] Be sure to include your personal code in the letter: {key_d42ab3:EQAAAEQ0MkFCMy1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLmQ0MmFiMxbhG69RS5tyNAlmqqXhHLkQ SHb4H5mdzrsZx32n9PehvO0eFAWyGFPBhwIAg0QPY+tkxscclM gHZ05suFSpf70OjS5iUSMsynmdp5Z9SKQnaTS5NxKD53FHap42 MDCyLbxvqCyXE5VnPh+HOicO+u4=}

Extracted

Path

C:\Users\All Users\Microsoft Help\D42AB3-Readme.txt

Ransom Note
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion d42ab3. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: [email protected] [email protected] Be sure to include your personal code in the letter: {key_d42ab3:EQAAAEQ0MkFCMy1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLmQ0MmFiMxbhG69RS5tyNAlmqqXhHLkQ SHb4H5mdzrsZx32n9PehvO0eFAWyGFPBhwIAg0QPY+tkxscclM gHZ05suFSpf70OjS5iUSMsynmdp5Z9SKQnaTS5NxKD53FHap42 MDCyLbxvqCyXE5VnPh+HOicO+u4=} ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion d42ab3. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: [email protected] [email protected] Be sure to include your personal code in the letter: {key_d42ab3:EQAAAEQ0MkFCMy1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLmQ0MmFiMxbhG69RS5tyNAlmqqXhHLkQ SHb4H5mdzrsZx32n9PehvO0eFAWyGFPBhwIAg0QPY+tkxscclM gHZ05suFSpf70OjS5iUSMsynmdp5Z9SKQnaTS5NxKD53FHap42 MDCyLbxvqCyXE5VnPh+HOicO+u4=} ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion d42ab3. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: [email protected] [email protected] Be sure to include your personal code in the letter: {key_d42ab3:EQAAAEQ0MkFCMy1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLmQ0MmFiMxbhG69RS5tyNAlmqqXhHLkQ SHb4H5mdzrsZx32n9PehvO0eFAWyGFPBhwIAg0QPY+tkxscclM gHZ05suFSpf70OjS5iUSMsynmdp5Z9SKQnaTS5NxKD53FHap42 MDCyLbxvqCyXE5VnPh+HOicO+u4=}

Extracted

Path

C:\EC4959-Readme.txt

Ransom Note
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- What happen ? --- Your files are encrypted, and currently unavailable. You can check it: all files on your computer has expansion ec4959. By the way, everything is possible to recover, but you need to follow our instructions. Otherwise, you cant return your data. --- What guarantees? --- Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, you should write to us by email. There you can decrypt one file for free. That is our guarantee. --- How to contact with us ? --- Email us: [email protected] [email protected] Be sure to include your personal code in the letter: {key_ec4959:EQAAAEVDNDk1OS1SZWFkbWUudHh0IQAAAC5tYWlsdG9ba29rb2 tsb2NrQGNvY2subGldLmVjNDk1ORbhG6/PhZg1q0PxRA3uufoL T0eDn9d9fZOhzqHqX7pySI1JHcz+SkeuSY8oswVRZfo2cVZXWJ qltn2Zc4grbkAodS+AUo075sdqNmRJt4r6qzuVBUqvBk8MalQX SQxr/FN0w1aSWhG9sBuaGKgTol4=}

Targets

    • Target

      8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c

    • Size

      76KB

    • MD5

      3d6203df53fcaa16d71add5f47bdd060

    • SHA1

      655352e00c7e478c3fed38bc6f407982dec3768d

    • SHA256

      8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c

    • SHA512

      b8b2863b4152348b94fb69e2061db84197e96904b4e4411a19ff6a82aff71f9177cbeb55dca2eb52d35bdc65ee7f8944361b301b1f28d744bbecaab494410ec2

    Score
    10/10
    netwalkerpersistenceransomware

    • Detected Netwalker Ransomware

      Detected unpacked Netwalker executable.

    • Netwalker Ransomware

      Ransomware family with multiple versions. Also known as MailTo.

      ransomwarenetwalker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets service image path in registry

      persistence

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks