Overview

overview

10

Static

static

0681c37cfb...82.ps1

windows7_x64

8

0681c37cfb...82.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    169s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 13:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0681c37cfbb640a08028c3ba49e92dc82268f8ad2aa865b86efafc834ade3682.ps1

  • Size

    903KB

  • MD5

    55e24e49a28d1c65ef535778982d0854

  • SHA1

    368b76cfca253c01675533f1a9ba4756eab239b1

  • SHA256

    0681c37cfbb640a08028c3ba49e92dc82268f8ad2aa865b86efafc834ade3682

  • SHA512

    6aecf6a9a90083d8599da9fc1c68d9783942b6819739ceb8f03a4df58f20a92addba17561969b0e85d2243a33eceb2b28ca9571c782abc746e7f298734577067

Score
10/10
netwalkerransomware

Malware Config

Extracted

Path

C:\odt\03F6C2-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .03f6c2 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_03f6c2: /Jp95S7I1CYsIJUckQWfA+895DgmXBCe1QLhyBCYrXqgHm4jZe X5tGnTAmKed8NNJa5QIjeFCMHj+yNunnkzlMG69R2/f3B+WGbS 1yHELMapu+d27bTaT/I7J9WsUB72Ac496ZRmT6JZ5Fc+oWDvGY kAN8ZcIGhp5fo4D/LhGcDtk6Z7U6Sk8s66CreHXt84GhZCh8K/ 49zrMGRoOJ1q06YhJjH3YzlDnuUL0m4KpHXCuMAW4p5vVjOMiy M6zCAZUOkEUlmsRLiCQ4otFTXx5ujioK5ciw60lw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0681c37cfbb640a08028c3ba49e92dc82268f8ad2aa865b86efafc834ade3682.ps1
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eu0b4pkr\eu0b4pkr.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC091.tmp" "c:\Users\Admin\AppData\Local\Temp\eu0b4pkr\CSC6DE74A7A5E594641A8912CEE2545938.TMP"
        3⤵
          PID:4604
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgq3w4fz\pgq3w4fz.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8FD.tmp" "c:\Users\Admin\AppData\Local\Temp\pgq3w4fz\CSCF0421D41E6E94A6FA7DB8729EF302BC.TMP"
          3⤵
            PID:4584

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESC091.tmp
        Filesize

        1KB

        MD5

        08674a1f247518c50752400112312d10

        SHA1

        bda40ac19f65ba68ae5db359cd61ecaf686e9fa7

        SHA256

        060b509d55fe44856b0511da8a2069a5248029ede917e1831a549a85ea4c851b

        SHA512

        7c1a01a8f56849636445b81c5aa082e2a614b90c273c4077bf45ca0653a03c184b088105ed1cb28dbefe1f16fec8f69a74a7e484170f079b762328aed470cefc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RESC8FD.tmp
        Filesize

        1KB

        MD5

        1865632e9f132daa64514adfe209372a

        SHA1

        b6e95425bb51413adb01496a5f47b539f72d19d6

        SHA256

        f646034993a90d067b834809f91acd3c668c30ceb319c88e129b2c85547e4f44

        SHA512

        3c6367add97f6992fafaded7097af705be2993d209392f85757c2b71d1fb31cd53a40aa874d89c921e5663281e264b70e39f2eb7f250b3764c594e73a8b5ed98

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\eu0b4pkr\eu0b4pkr.dll
        Filesize

        6KB

        MD5

        980474e8bbf79180f0ddba8bbe62d3e8

        SHA1

        77f0904c2fd51a5541f4b214de044e140b20d8be

        SHA256

        803a9513587fa87f8e3c3b24070b30c5023be0884aa14b0b81d2709acdbac884

        SHA512

        efdaf39a813e418456533027d9b14eb43a036553578db034fb05b68d46de56d1328be50db66d179dfc08e83aec2bf146c49c26bd454fd03301e304c08193cc05

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\pgq3w4fz\pgq3w4fz.dll
        Filesize

        4KB

        MD5

        ccb46b143ed4e216d4bb3a3034b8a598

        SHA1

        2578cb1e50be025ea98f1e97247c364b355990db

        SHA256

        4b25b1304f7bcb3da8cb124fb393a4d1b4bb29b9e08c20cba59a79a5f84c1baa

        SHA512

        3bfeb8b7ca65339c9e41acc3cf62380eab760232dabfcf7712fa6093e9c035e5d50e7d6d9fceb51e613401b07b01c64e80c2326a6b6db8e14ee7fc17fa2feb5f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\eu0b4pkr\CSC6DE74A7A5E594641A8912CEE2545938.TMP
        Filesize

        652B

        MD5

        de7ff4ca836c39f35a66d5b0c230dde7

        SHA1

        7ac4b95265b3b8b0088f40420e75489a2bf80747

        SHA256

        43add2191a03c6ffb33d26c927cbe181b522f02c583d0a6055aca1c24a31239e

        SHA512

        ab98e6666efa3187141aa177acd8868add637dce53c84aada1c26e976c31fa7f966d12a3ff7a730594bcbd6bb5ec4a6f04abc623ae0e1971758392b28d518389

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\eu0b4pkr\eu0b4pkr.0.cs
        Filesize

        8KB

        MD5

        07086ea98fed0079427b7f0710fe62e0

        SHA1

        8bd780bdb9a03d88f32ebef8549509a697fe0102

        SHA256

        eab011089366b76f3f371a62efbe22340ed3adbd2cd5a46a5558c3faac101fff

        SHA512

        d1b4741ca1d09f5b8e72e43c6d08a8f6d69d14cac46bf3c42004e0105e18e892f2ea44f3b28a984779c3c047f5641431148c39bf0eb09093473d2c105c4d2d97

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\eu0b4pkr\eu0b4pkr.cmdline
        Filesize

        369B

        MD5

        a69da674de7ab6c1d31a85fa73e68543

        SHA1

        f6d5be04de9b23a7bec77cf775e400106314af81

        SHA256

        0d1dda736ecfdc902933616d6deaa6d5006681223fa9186dbb4fcea5c76a33b0

        SHA512

        a5db71243a4ce80122f36024aeb392385c261fc06979037585bf14841dfccac9cffbe6513c2c99a7612c9d0dac78a11b8be0c3b01065cbaa27444ed7743926d5

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\pgq3w4fz\CSCF0421D41E6E94A6FA7DB8729EF302BC.TMP
        Filesize

        652B

        MD5

        a827d6cd17cee379d2372b50b31214d1

        SHA1

        8744079032d6eb1fae63a535886b16db86694569

        SHA256

        40b52a87a95b81e942605eda6d8d031d9ef71310d23dc1de63e875182110499c

        SHA512

        f06952634198907b7f23d34661b40fbe4ca3e4c37ee206a4fb3ba98551b401414b4dfcb1a97e563a642725f2630e1e5bf4375d0eba96fd11efea8b2ab67fc51e

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\pgq3w4fz\pgq3w4fz.0.cs
        Filesize

        2KB

        MD5

        c97bbb0991bdcc70f6cd23e863029f03

        SHA1

        3f21d01b0970a323b090056e285b4261c784cb19

        SHA256

        c59ec8f208e5dd9e310b3ca6a2148c22ff52ada68d15e2cd0ade4a819a20208a

        SHA512

        436100ea9f52ae49a6c5179d12464a1e18bb0cbfddb4545774d582fe2d5c269efdf6bce97ad84deb3419f29f4ba0572a1ccebd5beb70ecd98c7c59ed77f4196d

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\pgq3w4fz\pgq3w4fz.cmdline
        Filesize

        369B

        MD5

        d3a8147df3a0a98afa861a87274c3fae

        SHA1

        6f2fb306ed12bc368ce7d4e89fa12ab12ac5caa7

        SHA256

        daee1bea84257cdced4a51b74ada297e1a7871aa79e928d15039ba22463baf73

        SHA512

        df3139fee7f630e0100ed447d758c7dcfb68787344610eb71c30320e958fb7206b0e9767f3b8fd291d81e3b5e2497456c8cfe96c8193964ff77af7284b9f0f9d

        Download Submit
      • memory/408-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4164-130-0x0000027B32E20000-0x0000027B32E42000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4164-131-0x00007FF9FA870000-0x00007FF9FB331000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4164-146-0x0000027B4E040000-0x0000027B4E062000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4512-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4584-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4604-135-0x0000000000000000-mapping.dmp
        Download