Overview

overview

10

Static

static

7aac112635...73.ps1

windows7_x64

10

7aac112635...73.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    171s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73.ps1

  • Size

    909KB

  • MD5

    23296cd80227f6ca6d00221d42c1c7af

  • SHA1

    72cfda2bb3914e5696c7f233daa515a2028ab2ef

  • SHA256

    7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73

  • SHA512

    68778a1c82b7ad2aeea4d4436ff37de5034bb234185c52c729561606f71b04548cdb1c08051580faf3838b815f0f832e6a1124d68c0d54fb4eec7d782275fc2f

Score
10/10
netwalkerransomware

Malware Config

Extracted

Path

C:\odt\1CC86D-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .1cc86d -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_1cc86d: RvkE5Kz0oocErZnVcSruZO8pgOjhWi7Ab/hd9HBTLWp+fW1Vva pXFh6kTRNrP7TBLAPJh55ud29k0l2R9n6IBXpzd7Lie4hj9eFr pz8qDcZfiN9pSZoyXwl90Jpq4T2bpmUsIs13VoiExChxgq+KKK H1JJDQ7acxcgkZ83opvZ+jJbvMiTlMUsCTOomLWM6lQSgNwQ8F XUKARQHl0yw2VtMhOXOcLJrybHqdBaIO/dfDEwWB5ZBShhY0PB E/8Ci9/q4x0irRlU4Yfs/PqKExfbxxNSGepdS1JA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7aac112635cbde748a97b38f6a52aaebbc3f0050f81cf36ccdc6c294c214fd73.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\51dyorgf\51dyorgf.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD55.tmp" "c:\Users\Admin\AppData\Local\Temp\51dyorgf\CSCA71FDB7FD3054FFEB43CE53FB16D63E9.TMP"
          4⤵
            PID:3712
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxogbhan\sxogbhan.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4416
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE052.tmp" "c:\Users\Admin\AppData\Local\Temp\sxogbhan\CSCA368EE1A9EC640D788C6AEC93D30A5E4.TMP"
            4⤵
              PID:4324
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4824

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\51dyorgf\51dyorgf.dll
        Filesize

        6KB

        MD5

        0d94d585b3b30e70429d2f7e6d740408

        SHA1

        d330a636ed016adb5c0ae337e7df937839e9b7c2

        SHA256

        9bf5ded87e06733702da9a1f7bc8760aebd6b73d142d6f5c0694f487ed22116b

        SHA512

        67f7cbbf6a778ba99bf1d71d68dec43a57d6efeca71e64d1d8b9041f8002d3f1978ae07a8cc1b46b6a229bd94e44eb1c38fc31d0d3f3bb798315151aa319d449

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RESDD55.tmp
        Filesize

        1KB

        MD5

        f176a3a5d1f21660ad0e9250bc0b2de1

        SHA1

        b1c2f6e644344a8e06431ef650cb0cbab5e39ac5

        SHA256

        7a80312ed303fcdff30228f0d36367e3d523629e3531212a3a796111b58f3254

        SHA512

        8915ba084a3d915c221728c9bd70743b4e680d0360de4be58fe7731b4856b5546d6ca28453371d780c21ea03bfdab0e0d35c1f706b102743e8fc4f2f427c88f7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RESE052.tmp
        Filesize

        1KB

        MD5

        673105badecab1e11e82f0445c0fbd69

        SHA1

        e478dbe0bb34755685927e3a60ab4f7ea8f972d9

        SHA256

        c4ccd2116a898f66af5dc62fbe62571a862d3b48ad955d7948edaf071105f80b

        SHA512

        7bf29c1c7048e838d92be106a40c76374a590fd2c1fe71965e237268532f62ccc03e352e783fb8f99a8824ca3486fa24d3b35225df2811846427941f027b655e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\sxogbhan\sxogbhan.dll
        Filesize

        4KB

        MD5

        d954eadfa39f34c7506b1f7eb09d8b2e

        SHA1

        4d63094447b4b04a5ddd93a7013b70bbaea51020

        SHA256

        3e0831ff8b8f62b6d2e126bb3b2cf9ab20e2f12ca086f58edeb25017fbc0aa47

        SHA512

        1ccfdcfc45e4269b0d35bc656e090a3ca0d5580740f6563c08b06ad4a103a03683367bb30c2473e541a1da3671d04a7aa900658c9c4078fab501045f8909e5ad

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\51dyorgf\51dyorgf.0.cs
        Filesize

        8KB

        MD5

        adb821d681853bdb5f96815a435533c3

        SHA1

        f10358ae09199affc58a4c4b9b31677612252762

        SHA256

        42fd2b1e45721ff7f27ec7ba2f9fd7840f03d38442da3fbf25ea687c4e5fcf68

        SHA512

        14f6a680c227635e826b5e3b6b843b95d4b02f2a99581e9d67cf53fe4d08dae1217f6ecc42c2ac1409887e3b88fc65c0589b06beeec80dfb5441ca117a58777e

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\51dyorgf\51dyorgf.cmdline
        Filesize

        369B

        MD5

        c8e9818ef5f038fb297839e47dcaede5

        SHA1

        9b01f1f3e9477f900cd351cd897b0a9d55f1d1d0

        SHA256

        50b722ae4a5739700b8fba74f46443b28836741da84b14afc8f9cf952c745efd

        SHA512

        fe57fe6e49b4518d848d4579746c0eadb9a7ceeeea654c4d8982455d00635a7371d65fa3ad10b9914ead94d6d620c101df7e6ac3c683f253e71ec3ce98a8baa7

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\51dyorgf\CSCA71FDB7FD3054FFEB43CE53FB16D63E9.TMP
        Filesize

        652B

        MD5

        a3db5fd85f6dd495594cbc69c72c678d

        SHA1

        b4497abb688aacef8e7599a440098af213e10d3a

        SHA256

        a9bb7e49e8cd4c67d37e78788f87a567317b7a770199fbf99d8311a155fdb54c

        SHA512

        3467683cc4557a69a95c50aa2c20ac6e724eb7f606bea0008a6998bf3beda99cb63d41e7c3d9e126e63c3e1b0c2ec43e6d9f059c877e3df44e984eb68eb56737

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\sxogbhan\CSCA368EE1A9EC640D788C6AEC93D30A5E4.TMP
        Filesize

        652B

        MD5

        14d3e8068e815f3b8dd734a6c8b8763d

        SHA1

        cfa33b0e4ef661ab62276451b50c74cb717cfc86

        SHA256

        837f9c4df0f9a4674157c974dfe9acc7d4ceaf62de02c643a81a6562f3da4c78

        SHA512

        e139b5d530053a429044e67f2605225c0cd694fe2460042864506e27fc534ff3e0557e1b45427ae2e2d855fe40691fe466bf7f8900f4aea199b1957edd0642f6

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\sxogbhan\sxogbhan.0.cs
        Filesize

        2KB

        MD5

        aefa890f6d791978020f664840a0e823

        SHA1

        0c6fe24d21f924ae96244b34fb0581bdede8f3b4

        SHA256

        9590adbe5616b3efb6439412a0fd56f95cad0264467735846457f914abcd940d

        SHA512

        6fe262134fc58d8ef3d3fd8fcf5695e0e7957d14e35915fc6d78abf677f13fe73c22d5950e6c6a6acaab3b02002250647b58ed826d1a7bdbe6f3068fa1ccb0ea

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\sxogbhan\sxogbhan.cmdline
        Filesize

        369B

        MD5

        fa02e54fb235abc9ffc0f96a3e3b4947

        SHA1

        6549cbdfef1c4510509907c227ec6bb134cf874a

        SHA256

        87c52e3a2ce1115cbbae8ee27a792aa395852bc1db094356cb8e1d45a5db1f6a

        SHA512

        b7346b903078fc3387efee3e865c02c74404a47107a743707e434700511dd506273adabfe6b7c3ba2b969ee165265dc54f2055425af994784d07dcd4ec0ab28c

        Download Submit
      • memory/2040-146-0x0000000000580000-0x00000000005A2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3124-130-0x00000295589B0000-0x00000295589D2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3124-131-0x00007FFAB78F0000-0x00007FFAB83B1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3712-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4088-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4324-142-0x0000000000000000-mapping.dmp
        Download
      • memory/4416-139-0x0000000000000000-mapping.dmp
        Download