Overview

overview

10

Static

static

7aac112635...73.ps1

windows7_x64

10

7aac112635...73.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73.ps1

  • Size

    909KB

  • MD5

    23296cd80227f6ca6d00221d42c1c7af

  • SHA1

    72cfda2bb3914e5696c7f233daa515a2028ab2ef

  • SHA256

    7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73

  • SHA512

    68778a1c82b7ad2aeea4d4436ff37de5034bb234185c52c729561606f71b04548cdb1c08051580faf3838b815f0f832e6a1124d68c0d54fb4eec7d782275fc2f

Score
10/10
netwalkerransomware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\C49A25-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .c49a25 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_c49a25: Ly1ex+JARvEsaQfLWuY/vTfNgciuZdM1RnE5M3RcKSVnP6sF3t zFNXiV/vlrpJnYVwxmSFwcheHfxY6pYSp31f2TusIVDX0e9eFr p6iz5vKl+a59d6a9KYryhp3fZBXF/3jN6RyO6qmlw4967kx5lt aIHtxY8r2IS9HU0QwKJjoXojyUOZMma4aOPYo1AndSSMVbZfe2 5MuVoYCjjnj+JdojivpDVuI0Un4QhwvTopl6/LxKYYuMbyx4aE KdznrSugkAiL56XYkQVUINw1jPSbX8wca4+ExvoA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7dfnnzc3.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB84.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8029.tmp"
          4⤵
            PID:2036
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kq9cl3jo.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC728.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC727.tmp"
            4⤵
              PID:2004
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1664

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7dfnnzc3.dll
        Filesize

        6KB

        MD5

        d74e125742b6ca0b19ffd3b58b960841

        SHA1

        78584c072362d8de60e817310f287268d58264e4

        SHA256

        b2e772d0f1e0794dca8bc7d21e10ef762c3f816a849808347b2a6edf10b7cf04

        SHA512

        929a644a9ef35903d24ed3ca6b1492389565b400440c5e56f46bad161338bc4b0801de7b37e32bd44cae945c0b36d5d9bf8289bb1140fd0eae64a4ff501f2d7d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7dfnnzc3.pdb
        Filesize

        7KB

        MD5

        387f969194eb2aa6a3aaa760900debf7

        SHA1

        a7b973ae6c8041c3ec4b9e7f42572b53f71c7317

        SHA256

        596fc75e3a6f6417b41ccc2ebe1ad07ca7d88b50c07822d710048dd7df3702e0

        SHA512

        26970b6fd204e2bc2b91b01b4e7438c236d0dfb00edf904b8085a3481465fa9440015f6e9d7079180ed54d5c01828dadce4ebf595bdacb01bcede52bdae7521a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RESBB84.tmp
        Filesize

        1KB

        MD5

        caa09151fd7d25034e5765a8431b909b

        SHA1

        af51de94ebffebbd1a85687b0f7c8e2a61ea398b

        SHA256

        c1e0bc669bba8e79feca985351db02f4d9d4cc2d17b4817a92fcd0df59d98475

        SHA512

        cce9681cb588d27bf02ead94a9793ee909e8cb58fb23f510c6361529b8403441e5221521a651ce2ed2247db203901e850bc85db279d033d26fa185903733b792

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RESC728.tmp
        Filesize

        1KB

        MD5

        ff8cc1ebf5fb894262d3f20033600f49

        SHA1

        6e4170cfd8f62a7b84586ca08a417e1c0fb8b908

        SHA256

        dc3500c17e1841fbb9f43ff538a19b02240fc08c8cb066d671f19ba8f0e5f13e

        SHA512

        5bf952854b887cbe321a658ecd7458483382741da8e87b101aba1662c94f0dea6daeb2fa8b54578b42f877b6ea91836f3ce67072e565d27f9bffcc8c58a9c2c3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\kq9cl3jo.dll
        Filesize

        4KB

        MD5

        51b3c7b96353430b621927b28d4cd276

        SHA1

        5d3433b450c16def2745f558e6b8806c7a64cdcd

        SHA256

        e818de3c78df2587e1dbb3c1293f01a6082f275b5b1138e98b965f3bc743fc1c

        SHA512

        08d5d9558bc0ea94b8cf97f516e437c3d571f8fc880bfa29d4402304d53d2fff236325a761247aeb1f6027bdbcefa9d1abf2fa38c887acc7fd43f3e629970a7b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\kq9cl3jo.pdb
        Filesize

        7KB

        MD5

        a60f550cd44840c11f036c579767a9f9

        SHA1

        cce13ac22fed81bae50705d018af3b7499bcd6f1

        SHA256

        c65ced762cae38e10f5834a4139c30e751dbb04c2d505d97d7d34e793b0d3d47

        SHA512

        6d24b8f519a8c8d2337aee7a6747dee203b252f93140c79f15f46087eb4d06724b99e858184b0693664713f13523ed70473315a5d2ee03268afeaa352bcc80b0

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\7dfnnzc3.0.cs
        Filesize

        8KB

        MD5

        adb821d681853bdb5f96815a435533c3

        SHA1

        f10358ae09199affc58a4c4b9b31677612252762

        SHA256

        42fd2b1e45721ff7f27ec7ba2f9fd7840f03d38442da3fbf25ea687c4e5fcf68

        SHA512

        14f6a680c227635e826b5e3b6b843b95d4b02f2a99581e9d67cf53fe4d08dae1217f6ecc42c2ac1409887e3b88fc65c0589b06beeec80dfb5441ca117a58777e

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\7dfnnzc3.cmdline
        Filesize

        309B

        MD5

        133a9e79ccddc747ff7572fdf1154623

        SHA1

        01240af87022b75c3c22ee6ff2dceadcc7772a3e

        SHA256

        edc7692f5ae7cb8b11beaaa4d5a6671b79312c85e03aaf93c0577b2d379aadcc

        SHA512

        a36513f9d82b5b72cc1e4a26fd94b001bf295a4006dcd9bdb1be6edafb9e131431063aa5a247efd0a14b21529b70097ecfec9fb5256ee7de6f19e2c6c7572fed

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSC8029.tmp
        Filesize

        652B

        MD5

        978bf5ed243e4625ee4fd90d9ebe70e3

        SHA1

        50934214c325c2764e40efdb9a0cea899dde25c3

        SHA256

        1598132d987bd574523caf9fa4040036bd8ff82db41cca40d29a8128be784d50

        SHA512

        310485daeaa97df9ccd92fcf269e937a57c60cc6674a64f57bea5cab96c92d32fe237269b3d2a707ef8b240094ed7cccc5680fa3bc4c1da6345f6aff4bdfe3ee

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\CSCC727.tmp
        Filesize

        652B

        MD5

        385275ab93f7879081635c4a7c940b2a

        SHA1

        9637d485a627cae4d5bac54c712a32432367b039

        SHA256

        9646b0a72b2d7442ee8ea9a8dbd505865b0736e3944d9bf1f132f129af956ee8

        SHA512

        98f1087262b2992b5ce62f4bf20b93db26097db8876831f812c3801555a3b16cd351391f1e2028d7eed92b23b07776dde5dee3b8279a1b0298cda52c265ff631

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\kq9cl3jo.0.cs
        Filesize

        2KB

        MD5

        aefa890f6d791978020f664840a0e823

        SHA1

        0c6fe24d21f924ae96244b34fb0581bdede8f3b4

        SHA256

        9590adbe5616b3efb6439412a0fd56f95cad0264467735846457f914abcd940d

        SHA512

        6fe262134fc58d8ef3d3fd8fcf5695e0e7957d14e35915fc6d78abf677f13fe73c22d5950e6c6a6acaab3b02002250647b58ed826d1a7bdbe6f3068fa1ccb0ea

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\kq9cl3jo.cmdline
        Filesize

        309B

        MD5

        32d9f9fd6684aacfd2c20cb44670707e

        SHA1

        03c7ff2399a9edd09c3b5724d7f8982037310286

        SHA256

        d26900142ac17f7bd2187d136ee5c08fb0288cde2441a5cea71fe83fc1896e56

        SHA512

        a3a92464a3c8d33c8e1c8941f638e05332d5e131ca46874e9ecb780773e28196f5e238d309391bca8c9a7f538e311379e01bf17fb51f8ca40ebbe2baabd27d71

        Download Submit
      • memory/844-57-0x00000000025AB000-0x00000000025CA000-memory.dmp
        Filesize

        124KB

        Download
      • memory/844-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/844-56-0x00000000025A4000-0x00000000025A7000-memory.dmp
        Filesize

        12KB

        Download
      • memory/844-55-0x000007FEF34F0000-0x000007FEF404D000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/1208-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1284-74-0x0000000002A60000-0x0000000002A82000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1284-76-0x0000000002A60000-0x0000000002A82000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2004-69-0x0000000000000000-mapping.dmp
        Download
      • memory/2032-66-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-61-0x0000000000000000-mapping.dmp
        Download