Overview

overview

10

Static

static

861340ff00...11.ps1

windows7_x64

10

861340ff00...11.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    861340ff0057af288032d94212eb0252ca6b37c53653e28a607620e597221711.ps1

  • Size

    909KB

  • MD5

    0abc6981dc66033e0fae0351025d6399

  • SHA1

    ebe3b9509911f6af5438df3162a0cd756253bbaf

  • SHA256

    861340ff0057af288032d94212eb0252ca6b37c53653e28a607620e597221711

  • SHA512

    3cd6aa783390d6f619394169884fe739230e7de4a25195715d1770614374fd6038f23d0bffc5f0508730eee2ab1c37bac67022b0d7cb6f43bd7e98989a9a0c39

Score
10/10
netwalkerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\650913-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .650913 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_650913: TWFVPjr2KaLMtDHJULHIK/zoVa0hmgggri7BQVNeGQDFOIY+GA aTQMVhdHvrpzQ6aLMN4Wcz5nJMWgS23nXROwtWJebn+qobDDvF yEXZ/tL2XvIWv80UVLELeVGLjAegMs/pBiV+k5ct5wrJa6IT85 hIKNH9gzk04zNnqDW7i0TAduxzH5d+IH+ik1e4UVKj/WKv/ZIE 3gF0yluLjy0eoJXWZz9xaczBUMJqgyiXx8sfVortOA2zoaj3YG NNm74aHTEA/Uj64pqzpkS1aWlZ9llW9uFlpdf23g==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\861340ff0057af288032d94212eb0252ca6b37c53653e28a607620e597221711.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxjmbvze.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES592A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5919.tmp"
          4⤵
            PID:1660
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1_ledwqx.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59F4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC59F3.tmp"
            4⤵
              PID:1608
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1740

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1_ledwqx.dll
        Filesize

        4KB

        MD5

        e8f97fafff902e41c8141cedf4a2e31a

        SHA1

        b0918bd8bfe0fbdf9d7137ce0deef4c84f935306

        SHA256

        96b0d1fba718e46914f36d476da25e2c36de6cdc314873f1b5560a37a4326afe

        SHA512

        c75900431751f866afa8e7bd1e57e0d72726e6a11824dc638a658c533fb1192e9acd56cb66aeb4e3e31ccf66e68ef14eb56fac0519339d9bb7d82f67a7893fb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1_ledwqx.pdb
        Filesize

        7KB

        MD5

        b90e50c5e38c26d3d3c91bd38e9bca80

        SHA1

        9fac89a70e7a017b7fbce21e675f6bd010d77e69

        SHA256

        d0a69aa9620676071b6312004797797d013fef13b29cdebba131577337a87be5

        SHA512

        5055b59c1d5f21819005f6c06c72ab2bafc0fa858f02a2ca72560d8d2c2ece9729fe94556cff3717207b80a403fc1821f6fe1c90d7466ec6422da5b33b260bd8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES592A.tmp
        Filesize

        1KB

        MD5

        79ff0b22a1410bb35b9af69a9312357d

        SHA1

        67a463ca6bb5a56bb72195ac09428fd090227602

        SHA256

        4c7687b654f107207a743ba5bb3769ff3e2bf57414f20b5fdde8a3efe4ea29f4

        SHA512

        65acebd61e3186d86f54ec1e34ed54166d3129b93dfce45ba9cf4467746d7561d8a4fb12bd717d0ef3c2ecd401e445fa48cd41b801909eaac51cb26ceb0e5d51

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES59F4.tmp
        Filesize

        1KB

        MD5

        f0184bb34a55eea540059cee5b059ccd

        SHA1

        3b60efd58aba5632127a85440c7dfb9ffd2582a9

        SHA256

        c8ca784da77809ef98c66ce5569738177709ad8c6b1bd421a6e485f1312e873d

        SHA512

        8536bb776a11a31e8af350ee11d8b4b2aaba0da1a6d1197ab6466bcf3df41fd210a0452f22b14534a02cf2c36d54ed7c19eb43ce86955bcc7741d651d08a801f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\gxjmbvze.dll
        Filesize

        6KB

        MD5

        8714d27a8af3a79d7f3f0ac38a775830

        SHA1

        9360e66ca8275bfadef037de7dae7ead056c8c24

        SHA256

        c2e466705644214ccd6ebd2274de19ca660fc161c6983c2b78ebe76cb3086ac5

        SHA512

        7882b73d55ceafdcb3174e0ff311fbe03f9136d3213f5a954de6ca9628bcf98c0aa5c975caa724990e84148aa6cefaa10d5170f2fbf517855c6129a2162a2e44

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\gxjmbvze.pdb
        Filesize

        7KB

        MD5

        e4c3a64095cccc258c1c3cc12be24b4d

        SHA1

        de8a728967f8b824df4e4320f8af4fe7bdd8cd05

        SHA256

        823e96d4772d97d9f02c1ca993d6ac59012c04e0ed30a55c512d272dd5c82999

        SHA512

        de1036c8dbe4eda03d091a85093773c704b4cadd8390b001a6c588b07f4a0adc87d9969d40582f2a1ae9bf3a732b00b65f5d2ebf5ea77b8c6c721611429a0a0b

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\1_ledwqx.0.cs
        Filesize

        2KB

        MD5

        d491bc3537450532785880e98f087e97

        SHA1

        bf5a817e3776cff4554c03206159c54717ca09f2

        SHA256

        7e7bd87416a61d72128f5c5bdeb3b3054631393d22acfd84bc0a351e4cc6b491

        SHA512

        ebbd7f91049304640f30697cadea49eb8f69a26dc1581dc2e58fbf16421769ed5df67b4fe4bfc1dd6c58367adea0449c52aa26c0286e7ab153c6571b7fd59856

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\1_ledwqx.cmdline
        Filesize

        309B

        MD5

        89e2abe7a1e9dfdbbc720a30cf8eaefc

        SHA1

        364f34a2fe60844bab32e52dfab0bbac41dced88

        SHA256

        e0ffb61b0825721e0b0fdea9f39d862640d2a87bd9142c551e41dc7d2a08a146

        SHA512

        162c80f12681a9a95f10e0402b1fe3c4ccae6097ec1ddc8342716271e92789fe9883e21ec21347a1a7aba7f23ed6475fdcd562d877ddcaedbdb698465a5805cf

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSC5919.tmp
        Filesize

        652B

        MD5

        076cccd2289f7646bf5293d17fa4aa91

        SHA1

        5ba23658587f3094c7a55e349b9fb61b0a968b90

        SHA256

        de2006c59e1102e6252fae21b257e5b81d47b5265b80e5271713f086ffaaaa34

        SHA512

        31f987e9a8f6639b28ef3620d200285c15e3bce3a6ad2540ad3c4fe627fd5865c1d2724b1c153693f0db5ccb9f67572524534d9a76278649e67420ca263ef145

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSC59F3.tmp
        Filesize

        652B

        MD5

        965b6f81608c8f4a1d48c44f00bfdc91

        SHA1

        1a30ff9bbb227212c34b26e7dd56b6e59953a736

        SHA256

        a42c91e0c3b1fc877826e2e03a303e6f3eb486fcc46e080537e2ef62effe65e4

        SHA512

        35a52bacf9225cb5c9a58ae1fd8ad203fc98903165db8cbd2ecebad43881f448de3ed6ca0e30996ef1f97b1db6a25507d54121921bd19be7dcfd6e0ccb291f4b

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\gxjmbvze.0.cs
        Filesize

        9KB

        MD5

        77db487c078b0fa51e7fcace9b258cf1

        SHA1

        f73dc69329586dd07c5f4e273c03ee9164dc4936

        SHA256

        20a335545d41bad6dd654205fe7e8e38c807634307edc4463661f172d8b575de

        SHA512

        471f92bfb9a32090fa925e4cea14b218a290560e27ec5726ae65b8999293eaf3bb0f7b1b45595076a93d1406d00a5b61a1aa0c2b79294f355ef6df0f25f36cac

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\gxjmbvze.cmdline
        Filesize

        309B

        MD5

        01ea33181be24a98b3c7a23df933c764

        SHA1

        241d2bbd0694d69816bf90db7761b4543d4028fc

        SHA256

        1f27bc79e1d6e6d6332c9db346e326d8085803d8ee2b7fc62aa7a5bab10db6e7

        SHA512

        f503987c3b91de3b8bdb22ac222a18bf8152dd62dc1f74c0ea6861da6886c1dd052348fca5ead7195d1d30ff5025965f5bf7ccf748df4251f3d4d286af3257ba

        Download Submit
      • memory/996-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1200-75-0x0000000002200000-0x0000000002222000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1200-77-0x0000000002200000-0x0000000002222000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1480-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1608-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1660-62-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2036-57-0x00000000026D4000-0x00000000026D7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2036-55-0x000007FEF4AE0000-0x000007FEF5503000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/2036-56-0x000007FEF3F80000-0x000007FEF4ADD000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/2036-58-0x00000000026DB000-0x00000000026FA000-memory.dmp
        Filesize

        124KB

        Download