Analysis
-
max time kernel
307s -
max time network
322s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
16-02-2022 23:47
General
-
Target
21-NetWalker_19_10_2020_903KB.ps1
-
Size
902KB
-
MD5
7770c598848339cf3562b7480856d584
-
SHA1
b3d39042aab832b7d2bed732c8b8e600a4cf5197
-
SHA256
ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
-
SHA512
02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
Malware Config
Extracted
C:\Users\Admin\Downloads\A57739-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops file in Program Files directory 64 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\21-NetWalker_19_10_2020_903KB.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jld5h0mw\jld5h0mw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12F8.tmp" "c:\Users\Admin\AppData\Local\Temp\jld5h0mw\CSC7D6B9FAA1EB94380A4DBDDDC9ECDA6.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c0lji5kd\c0lji5kd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES460E.tmp" "c:\Users\Admin\AppData\Local\Temp\c0lji5kd\CSC645FD78FC77B40249CC67604619325.TMP"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES12F8.tmpMD5
e46db69db9f0a1d06ab4242de5a1bc04
SHA13d9c3d9b554e6713bb5f65feee8cc6aa25383d67
SHA256fad917e602707d2992b2c94dddbb22bae6c0056402a573b2d4237c63ccd9c278
SHA512675d950b471b370b6e32f1549d433704d0e866553e7fdec65abc34dd953e8cb88692dc3ca95f2edc8d62ec0c35a280b900b09bd60557d65873edc897251ac535
-
C:\Users\Admin\AppData\Local\Temp\RES460E.tmpMD5
db1c1b07ffabf825f7a050df79550266
SHA1af0703603b40ab60fd479cd1deb06b1bdad3e5b7
SHA256536d9520f9d9ff7e0cf584cc62c3064180380371012acbaebf491c5858654a51
SHA512c3383d59145791c7ee5e5d737a5dbba1ed9cffac8cbe6de3170a6e5db2cbdf487a0af26bf9ff7fa007ee04d9d377660b7f3d5fc4be4335eea962e30c18b08a37
-
C:\Users\Admin\AppData\Local\Temp\c0lji5kd\c0lji5kd.dllMD5
aa2c4c13ee8f83e7750ca5e616fa682c
SHA156ee94f45b3f4c43f250093c7e615c307cce85e8
SHA256797235b43c16bf5c8a97a4c3d1e3460b47302d621a14bec3b626fb19ec5c8b47
SHA512bebb5e41e394a7aea4b4f4453a4b52141b9d364a13679c0fe665d4a98a780c0941ab29abc4b23f721b059448d4f9fcb1e11bafce1b3c24a871885cd7af6cc96b
-
C:\Users\Admin\AppData\Local\Temp\jld5h0mw\jld5h0mw.dllMD5
d33cac1ddf1fd2d2f5c7193c9779a890
SHA1c85d5e6dadd15d8b5ddd7f38d612aa1c9d6b4348
SHA256f6683a96f889c8a9475efda9f46c7baa917aabf93d7b6fa8485acb536adf9175
SHA51285c7fb3a43c145cfa269d456c3c4a8b0300c16e0224658a293cfd12606eb9305043e14b7e196cdafa55e84d883bc2d55b2976a2f9af92c76c2564ea70ba190d8
-
\??\c:\Users\Admin\AppData\Local\Temp\c0lji5kd\CSC645FD78FC77B40249CC67604619325.TMPMD5
3402e5e8dcdb575be90c16e5d773c9f3
SHA1211917bd85e4369257b245f46146c5324d6a2f26
SHA256cf25ff7942ae0c0058705054f0abf1840f2ace5975e576d3ea55114d9baf1e11
SHA5129a09b172e6b5dc6d1fbb3e0782b5d81f08da2e13cec7bf82e2cef68c529d6fb1145176be261099effc78b1b2bd29d90ae16a840c8885eebf6535bb43f1f35e2f
-
\??\c:\Users\Admin\AppData\Local\Temp\c0lji5kd\c0lji5kd.0.csMD5
1cae52936facd4972987d3baef367d8d
SHA1ad2b4b58d20f290b9da416cef1ef305cf1df6781
SHA25628b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400
SHA5124ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df
-
\??\c:\Users\Admin\AppData\Local\Temp\c0lji5kd\c0lji5kd.cmdlineMD5
6830e13c4eb3025dadbb2d9cd6d6d4d9
SHA1f7ed31c8a846b0e43166056b059fe71033b3cf1b
SHA256cc01080f949be3b5e6e894af0d61eec2d061e397335e9af9bcfa1a64f97087e5
SHA512e233846c6f9c1121f9abd46af1b0ae0bbe628c0369294e7f57981eedd75e031a300cd5d8ba25bcf6946fef7e5c16a2313447914782a0169af6050a15f64a150f
-
\??\c:\Users\Admin\AppData\Local\Temp\jld5h0mw\CSC7D6B9FAA1EB94380A4DBDDDC9ECDA6.TMPMD5
28b7bf8b0911c4ec4fab72a4420ad1cf
SHA127467971dcbb05a7ac7b7b3b36ab00ef1cac6c0c
SHA2561bc5231e5ba1c5bb4d52718968ad8474112d4d46bed7cfad8571b8e321d36845
SHA51230c8a2ff4ec617bfd90d6097112bc35a6c652e575d989256d80639eb1cba801e1f2957fe5c8ddf6e83c6617dd3bed03d77d4883d54ce07167def9f4f9741a39d
-
\??\c:\Users\Admin\AppData\Local\Temp\jld5h0mw\jld5h0mw.0.csMD5
64db54f88f46e2ecc57b05a25966da8e
SHA1488dbbbab872714609ded38db924d38971a3685f
SHA256e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5
SHA5128791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729
-
\??\c:\Users\Admin\AppData\Local\Temp\jld5h0mw\jld5h0mw.cmdlineMD5
fc6e74476df9ee06c3431648c09d64c8
SHA1e371e11e66e415fcc059520ba6420dc653e604c5
SHA256a570639bc04283da8f22e6988900c737a903fefc50decaedae00c64fcc4d3443
SHA512a8cf96c3fda93e30aa42f6c7af376990bf16415aec0e82d5d573cedd761289b8913de53dd540f6df45921015622dfd8c25e720a344d0682f5c8e9c09ba42dc9c
-
memory/1800-128-0x0000022051346000-0x0000022051348000-memory.dmpFilesize
8KB
-
memory/1800-125-0x0000022051600000-0x0000022051676000-memory.dmpFilesize
472KB
-
memory/1800-122-0x0000022051450000-0x0000022051472000-memory.dmpFilesize
136KB
-
memory/1800-140-0x0000022051330000-0x0000022051338000-memory.dmpFilesize
32KB
-
memory/1800-134-0x0000022051348000-0x0000022051349000-memory.dmpFilesize
4KB
-
memory/1800-119-0x00007FFEEBA93000-0x00007FFEEBA94000-memory.dmpFilesize
4KB
-
memory/1800-121-0x0000022051343000-0x0000022051345000-memory.dmpFilesize
8KB
-
memory/1800-120-0x0000022051340000-0x0000022051342000-memory.dmpFilesize
8KB
-
memory/1800-150-0x00000220515B0000-0x00000220515B8000-memory.dmpFilesize
32KB
-
memory/2880-152-0x0000000001010000-0x0000000001032000-memory.dmpFilesize
136KB