Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

  • max time kernel
    1803s
  • max time network
    1600s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2022 17:54

General

  • Target

    RansomwareSamples/NetWalker_19_10_2020_903KB.ps1

  • Size

    902KB

  • MD5

    7770c598848339cf3562b7480856d584

  • SHA1

    b3d39042aab832b7d2bed732c8b8e600a4cf5197

  • SHA256

    ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304

  • SHA512

    02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2

  • SSDEEP

    6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\BE4FC4-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .be4fc4 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before; cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_be4fc4: fxQouqNSKYy8q3a/7O2ZbUjOBTs7ufQlspjGyuwE3w4Rtbzm8d +mBYqUOMNX9y1K+SQCjDmrArNtmZQ/EZx6RacI6XB7UVQDkTQh 0hjET77DlzEd05L32aXJBaqUnVTBjnbSELZSoLOB2NR7XlTR1x DFULC75PYl4D5O72ArVjJo07rMzEc9ycD+n4rSC4Q8W3bYAwa+ eiPrV11152Yb40gLHjQ0zKU8S+mTXB7MH/7lN+8uGX2RsUQANP 30pJnNnRHjqKqqZz/gSZHTSjalVYiKVvuasKwEdQ==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\NetWalker_19_10_2020_903KB.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4132
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8561.tmp" "c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMP"
          4⤵
            PID:728
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4836
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmp" "c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMP"
            4⤵
              PID:4908
        • C:\Windows\system32\notepad.exe
          C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BE4FC4-Readme.txt"
          2⤵
            PID:6184
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:6540
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:6816

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133076487607126064.txt

          Filesize

          71KB

          MD5

          b2a08dfbfad762fa8b0cc837be238401

          SHA1

          51a4ad8b13f5c593d8da20d4b317666022cadaef

          SHA256

          7db07e239f25c7a589416a0c10c2cd58ddc5cb67e4397c112b1cae0c324cfab9

          SHA512

          af1f3631e2b83a0e2f49e9655a0bf52f321cde5fce986eecf98ee715c62150e6b9cffa7253627ec779b2df1fcf4774e3ab4792886fd19c0aba97ec94974cc83c

        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\B0ESNM48\www.bing[1].xml

          Filesize

          1KB

          MD5

          d3435f0a28674b514bbd7ec84e7c9d95

          SHA1

          3dc57c9137b01765e8d26218dac59f33b84ccd7e

          SHA256

          c8dbcf5bc4252528592ee6de2c0f7db5615f7586ecf98aa70b3658e8701da07c

          SHA512

          02234d3394828844c162a9457687a8218e5290aa1edbd11f012f24f1586e0b86cb38af66d89ce27ca4ed5b5cb36e1aa6be17cef4a51b4c5c99c3bfa97a31c71f

        • C:\Users\Admin\AppData\Local\Temp\RES8561.tmp

          Filesize

          1KB

          MD5

          3bff9c4e1982dc263994dda79dc26525

          SHA1

          9b5308ca8976a15912e86e3dc2d630c789390c15

          SHA256

          d8d0bad402d18fed8bc818dfc9a4a359c29406009d100d7ee1b11a2881bfb0fa

          SHA512

          938e18d1acd19e0241fa88d4f9aa678008e6819660aa330e687b01338f4873822e9b3664e1841e656aee62842a91ef340d28e627f9b84cc800b0fa68f36f2d9c

        • C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmp

          Filesize

          1KB

          MD5

          1c259e0e61040b9bd4bac03726deaa35

          SHA1

          39f1fd01d0b503ee08ed8d8a466f4421401a15a1

          SHA256

          d2bcb57cc39851a8fd318d4c9592f5cb956fb4d94fa7b5294f83fa3500656f05

          SHA512

          3880641066b8aa364a155746c4da432819a8d160af7197781b154f2ef722f021a170c8e21b6c352339acc5cc3df07ff2c0c3c28dd83a73e5f4c492e9f1b51b0a

        • C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.dll

          Filesize

          4KB

          MD5

          0ef848e9530dd92f398413047aeee4f3

          SHA1

          45252a501058a7663420208b1fbfb9e57b9dd119

          SHA256

          6902d05f6f53f98b97fe559e30a43ceedb62ba7ca8c9d820486420a15cfe431a

          SHA512

          8597f925bf88d1076558739ddec503d00282076cf5f46395f00aa09b012af383ee06464a63f14ae9a16376646073fb4ac8d45045735c78e8fc27aefa70a624f6

        • C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.dll

          Filesize

          6KB

          MD5

          b3e44825d4b51fed8c3e148eb194b554

          SHA1

          97732418ae0886fc69a5b6b09ac156627c72813f

          SHA256

          b3001c6d193ec1af24c0c99c889744911be4cffe0c5d2ca4b3b0f65fea8dfde1

          SHA512

          d4f4d92828a7ce8fc0739cd26432284e62e3dd2a5c0d33faecf73f4d31414dc862817600b2b259ec4bc34f5679bf73f15493d8cc000dea1b6855f47682c0ef0c

        • C:\Users\Admin\Desktop\BE4FC4-Readme.txt

          Filesize

          2KB

          MD5

          b46b97d5c97c1533c06b1ffbee6b0087

          SHA1

          b595f449cac2b6b4dc9d5e9ecb3e37cd842e3c13

          SHA256

          00e8fdd0645912363983c0631de758db9fa57e5a1d468e14ac63e7913417028b

          SHA512

          401499c409168ea2e8b380dcad84db48680a87183fef3714c143084b1275f8435c90e3df83a2e628459d3540f3be8b13c5c9b0188ebba6c2df61cc093c1bd5ad

        • \??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMP

          Filesize

          652B

          MD5

          3c4e596af22261bc9b799e43d23a775c

          SHA1

          5f8fcbd7ef0d1f59300036836d5ed6e56d61f81c

          SHA256

          b871286443ddb67a3f4ebdf66ffdcd1267aba3036cac81d6bd3e1a431b4a8813

          SHA512

          e1e2a04b1759b879eb8af37d3e03053b97f581f14f3ce516b981fe5381bedef7d78b642ca9d885fec7b16043c9211500dbd36389e7f717a5f6171b92ebd9bc22

        • \??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.0.cs

          Filesize

          2KB

          MD5

          1cae52936facd4972987d3baef367d8d

          SHA1

          ad2b4b58d20f290b9da416cef1ef305cf1df6781

          SHA256

          28b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400

          SHA512

          4ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df

        • \??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdline

          Filesize

          369B

          MD5

          029404c5e599fcbf0eedd69ea3c6ab43

          SHA1

          cf2222109177af14dfbb9f5739fe8f2025357502

          SHA256

          a89c086f8b53e309bdf12611ea071838c8162283b7b231be055c4da85591ccb5

          SHA512

          c499229f0a49f205468ea1dc7e5ed6fe60b3fbb420b86b235b323251104fc95cfcb702bba3d7a5cc0b0841edfc6b4e9506bbf3e10e99bb0a45fca7884d0eb88f

        • \??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMP

          Filesize

          652B

          MD5

          0594c13e862f161d3af22552ca28f4e2

          SHA1

          bdf19102aec9a4189283f51727a403e18767f3ca

          SHA256

          7c4e0f8c79c7a51375ef3951eb4f89d9d366f8ed75db0a9c4ac79a6d7026a03f

          SHA512

          68ee73f3f84fc4a5c303747f658c6d3e0afe53940ae28a59f6e0c3e759d2e3047354e46f3ee886139ec043c73a5448b28b7f35912a3fb542084c1b669722ea02

        • \??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.0.cs

          Filesize

          9KB

          MD5

          64db54f88f46e2ecc57b05a25966da8e

          SHA1

          488dbbbab872714609ded38db924d38971a3685f

          SHA256

          e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5

          SHA512

          8791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729

        • \??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdline

          Filesize

          369B

          MD5

          2dba910482ee581616b11a4408ecee6c

          SHA1

          3c9677516dc9916a0abab1a35bc81301ec96b8b7

          SHA256

          b8a13403f7c891798170310760bdd09ab76170309fc2a423a5cafc649e62e97b

          SHA512

          e875de0ea3cee3de928aef073de6e3b2e5f227718af44ec397fc37cb400723461232f806099b444324f6fead2b9d5ce7eeca1110aa9b3962b50fee62a7351438

        • memory/2492-148-0x0000000000D40000-0x0000000000D62000-memory.dmp

          Filesize

          136KB

        • memory/2492-150-0x0000000000D40000-0x0000000000D62000-memory.dmp

          Filesize

          136KB

        • memory/4132-132-0x000001DFC06D0000-0x000001DFC06F2000-memory.dmp

          Filesize

          136KB

        • memory/4132-149-0x00007FFA44B90000-0x00007FFA45651000-memory.dmp

          Filesize

          10.8MB

        • memory/4132-151-0x00007FFA44B90000-0x00007FFA45651000-memory.dmp

          Filesize

          10.8MB

        • memory/4132-133-0x00007FFA44B90000-0x00007FFA45651000-memory.dmp

          Filesize

          10.8MB

        • memory/6540-172-0x000001678C680000-0x000001678C6A0000-memory.dmp

          Filesize

          128KB

        • memory/6540-195-0x000001678C6C0000-0x000001678C6E0000-memory.dmp

          Filesize

          128KB

        • memory/6540-163-0x000001678C9D0000-0x000001678CAD0000-memory.dmp

          Filesize

          1024KB

        • memory/6540-160-0x000001678C840000-0x000001678C860000-memory.dmp

          Filesize

          128KB

        • memory/6540-159-0x000001678BE20000-0x000001678BE28000-memory.dmp

          Filesize

          32KB

        • memory/6816-255-0x000001D83ACA0000-0x000001D83ACC0000-memory.dmp

          Filesize

          128KB

        • memory/6816-260-0x000001D83A9C0000-0x000001D83A9E0000-memory.dmp

          Filesize

          128KB

        • memory/6816-271-0x000001D83A940000-0x000001D83A960000-memory.dmp

          Filesize

          128KB