General

  • Target

    7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73

  • Size

    909KB

  • Sample

    220520-tcr3naaad7

  • MD5

    23296cd80227f6ca6d00221d42c1c7af

  • SHA1

    72cfda2bb3914e5696c7f233daa515a2028ab2ef

  • SHA256

    7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73

  • SHA512

    68778a1c82b7ad2aeea4d4436ff37de5034bb234185c52c729561606f71b04548cdb1c08051580faf3838b815f0f832e6a1124d68c0d54fb4eec7d782275fc2f

Score
10/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\C49A25-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .c49a25 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c49a25: Ly1ex+JARvEsaQfLWuY/vTfNgciuZdM1RnE5M3RcKSVnP6sF3t zFNXiV/vlrpJnYVwxmSFwcheHfxY6pYSp31f2TusIVDX0e9eFr p6iz5vKl+a59d6a9KYryhp3fZBXF/3jN6RyO6qmlw4967kx5lt aIHtxY8r2IS9HU0QwKJjoXojyUOZMma4aOPYo1AndSSMVbZfe2 5MuVoYCjjnj+JdojivpDVuI0Un4QhwvTopl6/LxKYYuMbyx4aE KdznrSugkAiL56XYkQVUINw1jPSbX8wca4+ExvoA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Extracted

Path

C:\odt\1CC86D-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .1cc86d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_1cc86d: RvkE5Kz0oocErZnVcSruZO8pgOjhWi7Ab/hd9HBTLWp+fW1Vva pXFh6kTRNrP7TBLAPJh55ud29k0l2R9n6IBXpzd7Lie4hj9eFr pz8qDcZfiN9pSZoyXwl90Jpq4T2bpmUsIs13VoiExChxgq+KKK H1JJDQ7acxcgkZ83opvZ+jJbvMiTlMUsCTOomLWM6lQSgNwQ8F XUKARQHl0yw2VtMhOXOcLJrybHqdBaIO/dfDEwWB5ZBShhY0PB E/8Ci9/q4x0irRlU4Yfs/PqKExfbxxNSGepdS1JA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Targets

    • Target

      7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73

    • Size

      909KB

    • MD5

      23296cd80227f6ca6d00221d42c1c7af

    • SHA1

      72cfda2bb3914e5696c7f233daa515a2028ab2ef

    • SHA256

      7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73

    • SHA512

      68778a1c82b7ad2aeea4d4436ff37de5034bb234185c52c729561606f71b04548cdb1c08051580faf3838b815f0f832e6a1124d68c0d54fb4eec7d782275fc2f

    Score
    10/10
    • Netwalker Ransomware

      Ransomware family with multiple versions. Also known as MailTo.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

MITRE ATT&CK Matrix

Tasks