Analysis
-
max time kernel
1803s -
max time network
1600s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
-
Size
902KB
-
MD5
7770c598848339cf3562b7480856d584
-
SHA1
b3d39042aab832b7d2bed732c8b8e600a4cf5197
-
SHA256
ee3b0468a16789da8706d46aa361049ec51586c36899646a596b630d913e7304
-
SHA512
02af6d5910f0627074fbea72901b2f2b491f7dba58f53ae1fad1dc47230e000a7b459c8475a76aaf006629bb5822d89d4672d32fb64d073464ca41140cb134d2
-
SSDEEP
6144:KxYcCQ2x63Ib0NQrqxpPbI1ZVedvUhwDNGjG+zBumDKemdglhykA:KCQ2x6TdvUqDUjG+zBumDKemdgy9
Malware Config
Extracted
C:\Users\Admin\Desktop\BE4FC4-Readme.txt
netwalker
http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion
Signatures
-
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\NetWalker_19_10_2020_903KB.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8561.tmp" "c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmp" "c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMP"4⤵
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BE4FC4-Readme.txt"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133076487607126064.txtFilesize
71KB
MD5b2a08dfbfad762fa8b0cc837be238401
SHA151a4ad8b13f5c593d8da20d4b317666022cadaef
SHA2567db07e239f25c7a589416a0c10c2cd58ddc5cb67e4397c112b1cae0c324cfab9
SHA512af1f3631e2b83a0e2f49e9655a0bf52f321cde5fce986eecf98ee715c62150e6b9cffa7253627ec779b2df1fcf4774e3ab4792886fd19c0aba97ec94974cc83c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\B0ESNM48\www.bing[1].xmlFilesize
1KB
MD5d3435f0a28674b514bbd7ec84e7c9d95
SHA13dc57c9137b01765e8d26218dac59f33b84ccd7e
SHA256c8dbcf5bc4252528592ee6de2c0f7db5615f7586ecf98aa70b3658e8701da07c
SHA51202234d3394828844c162a9457687a8218e5290aa1edbd11f012f24f1586e0b86cb38af66d89ce27ca4ed5b5cb36e1aa6be17cef4a51b4c5c99c3bfa97a31c71f
-
C:\Users\Admin\AppData\Local\Temp\RES8561.tmpFilesize
1KB
MD53bff9c4e1982dc263994dda79dc26525
SHA19b5308ca8976a15912e86e3dc2d630c789390c15
SHA256d8d0bad402d18fed8bc818dfc9a4a359c29406009d100d7ee1b11a2881bfb0fa
SHA512938e18d1acd19e0241fa88d4f9aa678008e6819660aa330e687b01338f4873822e9b3664e1841e656aee62842a91ef340d28e627f9b84cc800b0fa68f36f2d9c
-
C:\Users\Admin\AppData\Local\Temp\RES8B0E.tmpFilesize
1KB
MD51c259e0e61040b9bd4bac03726deaa35
SHA139f1fd01d0b503ee08ed8d8a466f4421401a15a1
SHA256d2bcb57cc39851a8fd318d4c9592f5cb956fb4d94fa7b5294f83fa3500656f05
SHA5123880641066b8aa364a155746c4da432819a8d160af7197781b154f2ef722f021a170c8e21b6c352339acc5cc3df07ff2c0c3c28dd83a73e5f4c492e9f1b51b0a
-
C:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.dllFilesize
4KB
MD50ef848e9530dd92f398413047aeee4f3
SHA145252a501058a7663420208b1fbfb9e57b9dd119
SHA2566902d05f6f53f98b97fe559e30a43ceedb62ba7ca8c9d820486420a15cfe431a
SHA5128597f925bf88d1076558739ddec503d00282076cf5f46395f00aa09b012af383ee06464a63f14ae9a16376646073fb4ac8d45045735c78e8fc27aefa70a624f6
-
C:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.dllFilesize
6KB
MD5b3e44825d4b51fed8c3e148eb194b554
SHA197732418ae0886fc69a5b6b09ac156627c72813f
SHA256b3001c6d193ec1af24c0c99c889744911be4cffe0c5d2ca4b3b0f65fea8dfde1
SHA512d4f4d92828a7ce8fc0739cd26432284e62e3dd2a5c0d33faecf73f4d31414dc862817600b2b259ec4bc34f5679bf73f15493d8cc000dea1b6855f47682c0ef0c
-
C:\Users\Admin\Desktop\BE4FC4-Readme.txtFilesize
2KB
MD5b46b97d5c97c1533c06b1ffbee6b0087
SHA1b595f449cac2b6b4dc9d5e9ecb3e37cd842e3c13
SHA25600e8fdd0645912363983c0631de758db9fa57e5a1d468e14ac63e7913417028b
SHA512401499c409168ea2e8b380dcad84db48680a87183fef3714c143084b1275f8435c90e3df83a2e628459d3540f3be8b13c5c9b0188ebba6c2df61cc093c1bd5ad
-
\??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\CSC260CA674ADD146B69231B4916DD38EC1.TMPFilesize
652B
MD53c4e596af22261bc9b799e43d23a775c
SHA15f8fcbd7ef0d1f59300036836d5ed6e56d61f81c
SHA256b871286443ddb67a3f4ebdf66ffdcd1267aba3036cac81d6bd3e1a431b4a8813
SHA512e1e2a04b1759b879eb8af37d3e03053b97f581f14f3ce516b981fe5381bedef7d78b642ca9d885fec7b16043c9211500dbd36389e7f717a5f6171b92ebd9bc22
-
\??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.0.csFilesize
2KB
MD51cae52936facd4972987d3baef367d8d
SHA1ad2b4b58d20f290b9da416cef1ef305cf1df6781
SHA25628b45e56fb27763b4785974e380c96eef1436fc151a802f492db25052392d400
SHA5124ae36c0ac78177eea5a6e0fbab0f51f7d24c7a76eae75b67eab41fcace921cef256b02fb088e1afb3c445e59598fbea73270e6bca1eda32514221190daa501df
-
\??\c:\Users\Admin\AppData\Local\Temp\gd2sgmnv\gd2sgmnv.cmdlineFilesize
369B
MD5029404c5e599fcbf0eedd69ea3c6ab43
SHA1cf2222109177af14dfbb9f5739fe8f2025357502
SHA256a89c086f8b53e309bdf12611ea071838c8162283b7b231be055c4da85591ccb5
SHA512c499229f0a49f205468ea1dc7e5ed6fe60b3fbb420b86b235b323251104fc95cfcb702bba3d7a5cc0b0841edfc6b4e9506bbf3e10e99bb0a45fca7884d0eb88f
-
\??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\CSC9810FA4E5840405B8374A352AEA734CB.TMPFilesize
652B
MD50594c13e862f161d3af22552ca28f4e2
SHA1bdf19102aec9a4189283f51727a403e18767f3ca
SHA2567c4e0f8c79c7a51375ef3951eb4f89d9d366f8ed75db0a9c4ac79a6d7026a03f
SHA51268ee73f3f84fc4a5c303747f658c6d3e0afe53940ae28a59f6e0c3e759d2e3047354e46f3ee886139ec043c73a5448b28b7f35912a3fb542084c1b669722ea02
-
\??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.0.csFilesize
9KB
MD564db54f88f46e2ecc57b05a25966da8e
SHA1488dbbbab872714609ded38db924d38971a3685f
SHA256e2b586aa1613682b4f1b92f981fea15d0612a3e632bbd73cd7287518c9ed7cb5
SHA5128791b75874fd7a90bf63742abe6d299bc4370ad910591207d7630901d80765f6f6a4475809f23becf112360403423d0c691744f1024af3dd89c104f2b0b9e729
-
\??\c:\Users\Admin\AppData\Local\Temp\yfocfwtd\yfocfwtd.cmdlineFilesize
369B
MD52dba910482ee581616b11a4408ecee6c
SHA13c9677516dc9916a0abab1a35bc81301ec96b8b7
SHA256b8a13403f7c891798170310760bdd09ab76170309fc2a423a5cafc649e62e97b
SHA512e875de0ea3cee3de928aef073de6e3b2e5f227718af44ec397fc37cb400723461232f806099b444324f6fead2b9d5ce7eeca1110aa9b3962b50fee62a7351438
-
memory/728-137-0x0000000000000000-mapping.dmp
-
memory/2492-148-0x0000000000D40000-0x0000000000D62000-memory.dmpFilesize
136KB
-
memory/2492-150-0x0000000000D40000-0x0000000000D62000-memory.dmpFilesize
136KB
-
memory/2676-134-0x0000000000000000-mapping.dmp
-
memory/4132-132-0x000001DFC06D0000-0x000001DFC06F2000-memory.dmpFilesize
136KB
-
memory/4132-149-0x00007FFA44B90000-0x00007FFA45651000-memory.dmpFilesize
10.8MB
-
memory/4132-151-0x00007FFA44B90000-0x00007FFA45651000-memory.dmpFilesize
10.8MB
-
memory/4132-133-0x00007FFA44B90000-0x00007FFA45651000-memory.dmpFilesize
10.8MB
-
memory/4836-141-0x0000000000000000-mapping.dmp
-
memory/4908-144-0x0000000000000000-mapping.dmp
-
memory/6184-333-0x0000000000000000-mapping.dmp
-
memory/6540-172-0x000001678C680000-0x000001678C6A0000-memory.dmpFilesize
128KB
-
memory/6540-195-0x000001678C6C0000-0x000001678C6E0000-memory.dmpFilesize
128KB
-
memory/6540-163-0x000001678C9D0000-0x000001678CAD0000-memory.dmpFilesize
1024KB
-
memory/6540-160-0x000001678C840000-0x000001678C860000-memory.dmpFilesize
128KB
-
memory/6540-159-0x000001678BE20000-0x000001678BE28000-memory.dmpFilesize
32KB
-
memory/6816-255-0x000001D83ACA0000-0x000001D83ACC0000-memory.dmpFilesize
128KB
-
memory/6816-260-0x000001D83A9C0000-0x000001D83A9E0000-memory.dmpFilesize
128KB
-
memory/6816-271-0x000001D83A940000-0x000001D83A960000-memory.dmpFilesize
128KB