Overview

overview

10

Static

static

9

416556c9f0...8e.exe

windows7_x64

8

416556c9f0...8e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    197s
  • max time network
    243s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e.exe

  • Size

    277KB

  • MD5

    d60d91c24570770af42816602ac19c97

  • SHA1

    0d17845f19dc2fc1e38934864424c23d8bcc7644

  • SHA256

    416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e

  • SHA512

    b2fdac5145f9cfdfe06d10518198aadcb9a3d5bd26f9dcb9c8af5f3be8b1e4aa82895876ed24d39225510006d134cd31e3a588513e7ab9010cb8f9482958c7bc

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\E7AFD-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .e7afd -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Contact us: [email protected] [email protected] Don't forget to include your code in the email: {code_a35f346f_e7afd: nUmzzsPG/kkcxyn4EBsKurlUw9kRQTw5cRzSgNuKtVlVd7x7I6 o55hCST8rc6459cqQnlxh/ZYJQOb9/QY1QEGwE1DV3mV98bzRf o0/Oem3GHpMdUNqOW7/91vaXJ27PFPijCsK+wyoCAmVODqdxl8 Vd258IRc+ivp6c3uW0m+h7JOeP8zdskB8s+KM6qFrS7yai1o6c 5S5UnzPMplrMu0BSErzs59ACnqr6WjVfeObdQrtB6K9NWbEZEf 1o8kk49rGLptAYMxbHCVtVmcghG2RAKjo=}

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e.exe
    "C:\Users\Admin\AppData\Local\Temp\416556c9f085ae56e13f32d7c8c99f03efc6974b2897070f46ef5f9736443e8e.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3096

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3096-130-0x0000000002180000-0x00000000021A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3096-131-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download