f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be

Analysis

max time kernel
250s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netwalker.ps1
Size

5.1MB
MD5

b1f0093b89561c6123070165bd2261e2
SHA1

aac57162dc1311f07a869f7163bd30e0d62dcc0e
SHA256

f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be
SHA512

637b40a33fc8e5d478128242f621ceefcb158b1d411898fbf4bb2e7352fd214befd58c308297108d631d5b4e4b44f953ac51676b02ef20e8de9dc122ef0ba797
SSDEEP

24576:3lWHR7hoxn6yTYo1oc8UcMIh/MuwL+zn4ltC3O+wXCwNLaLRcfIAM1Bq9p0IQWwS:l

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1128 powershell.exe
1128 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1992 explorer.exe

pid	process
1128	powershell.exe
1128	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

powershell.exeexplorer.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: SeShutdownPrivilege	1992	explorer.exe
Token: 33	1740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1740	AUDIODG.EXE
Token: 33	1740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1740	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe
1992	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	process	target process
PID 1128 wrote to memory of 2016	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 2016	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 2016	1128	powershell.exe	csc.exe
PID 2016 wrote to memory of 924	2016	csc.exe	cvtres.exe
PID 2016 wrote to memory of 924	2016	csc.exe	cvtres.exe
PID 2016 wrote to memory of 924	2016	csc.exe	cvtres.exe
PID 1128 wrote to memory of 1832	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 1832	1128	powershell.exe	csc.exe
PID 1128 wrote to memory of 1832	1128	powershell.exe	csc.exe
PID 1832 wrote to memory of 1948	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 1948	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 1948	1832	csc.exe	cvtres.exe
PID 1128 wrote to memory of 1244	1128	powershell.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Netwalker.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\naxjrdow.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB685.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB684.tmp"
4⤵
PID:924

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qlnz3t23.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB79E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB79D.tmp"
4⤵
PID:1948

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB685.tmp
Filesize
1KB

MD5
8252672792993172809b6ce2e2e603ef

SHA1
73c1967e0265b4a1dd5d943ea4e2f2b23a752ea8

SHA256
f04c7fb00ee53030680b6e22c9b2f27960b45383918ae2e87b2681c9f47f5501

SHA512
0e1e48f791fe0e0ce7a1d746ced5d5302ad861bd6cfde629683f6444163d32f89de56815e871a53363bfd2d8fd7c2b0257a29206000b0862d3b25cd6fd77e38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB79E.tmp
Filesize
1KB

MD5
010af4f96edaf36944290dc9735db9ba

SHA1
990b34af48c2a468df3a2d355517b6219e5345af

SHA256
9f368c2f2b3968a4d7e47ae4e30519beef522c14aa2f4c0d108a7c39d9c6e672

SHA512
1ba045d6c943708d42278ea33e2ef6d8c0b79f2cda31397de038fd704be246007563cf8db82b89ad97d48d61afefc6e2b4c92c58f9aca4728578b89567947ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\naxjrdow.dll
Filesize
6KB

MD5
ce236b16669acf0df3cd0c20ea6958af

SHA1
ea9b4c5c6099bd5e3b56a493282c1f933fb4c7ea

SHA256
27b9df3b8cc71532e817bd7eb93a0a7ac0f4f0d18fd12885ec045cbb3465bca2

SHA512
6c9c8c099e4c9e2f68feb1fa7b516fad06efffecbe96d31f0a51380d6137a01c3b094bb26b28db9b060818c492782c464070ff2c44ed7a24015ed63002d12fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\naxjrdow.pdb
Filesize
7KB

MD5
c1e5a8c3c88791c820eaac69d5b5de65

SHA1
67ca86442a08ccb852ebf1bd6d92d8226c2eabc1

SHA256
8657c695ba2c72aef3ffcf492cf8821073d7836ef8984bde239b3874b7ce4c90

SHA512
a9cc0ece94b9effa85b2bdf4050824fb1c4b965553ba4140776876480fe33e61fbb02daa4fde08802b654aa46003a8ff79f0a251e4669a76e7b5fcc3f114b2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlnz3t23.dll
Filesize
4KB

MD5
cffc5afe857bcdb2374dbac87a3c3e2f

SHA1
daf931aaa3de0010323e636d528494f72ec0bfcf

SHA256
9f5ff1f8eecae9a303f96fbc9fee3349152c29f2990b4248fd374ae45b2b50e2

SHA512
7309fc09240c278537e4dd12c8bddbaeb50e5956471adbce2a5488ba5fef2cc8091f7ed176a571bdf9a1e5321e7f110140892561d395d6384d7b47ac8ad17be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlnz3t23.pdb
Filesize
7KB

MD5
d61d864aeaff6451212074aa97d8be5e

SHA1
27f7c39ef065d700a2f4481c4faeabf591debfd4

SHA256
be0e341a6a500419a925d0684d63cc0f5f9b2c58814bd3523645048237253bb2

SHA512
f4565a0dadfb9f0d5dbc1ac5c1a487ee89d9959046bdba90da86d8ab4f111f2ef192f59ddf98dafbb108868efb9486c9354d27c017a7fab21138aab0ff9dc4e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB684.tmp
Filesize
652B

MD5
3e68369186356f297d645c59266182de

SHA1
8e6ec7b3a2c20c9eff479c15559c2d0608642c46

SHA256
5349fe8085eede0a557336b4773e4ce4e42491edeefd92c3c5479b266acef85b

SHA512
6223596ddc3e7a7d86d04d44de19f95171f65f4d466c03a51186e2c7e595cfc312847031ddad2d67f3dfdbe0e8c7fd687916b56e46cfdc8c34029f6d9d580dcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB79D.tmp
Filesize
652B

MD5
7ea271db1bede295dabb1e639f786b6e

SHA1
238c4b1cffe91a6b86e798c927c9289e18e5742d

SHA256
5c83159faaaf6b3a0492abbed3f1221a7fed5c3a7c769cdba47595282a107488

SHA512
0bf841596b39134792d5197abf600a762c9cf7d91ddc4208cdf78f84bebb7bcc8058f5a6d85659f409346d7772945946234b866e0c064b35b1166efdd3ad39b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\naxjrdow.0.cs
Filesize
10KB

MD5
220274c8b5ea2af3a7c625d0c4985fc2

SHA1
2f5228308d3808946552e53ef5b9829b8764b741

SHA256
b00f4040bfc94627cc06e351d43d4b6fdaa1161b20b702956b564e18c3a37ee1

SHA512
da40fd6d5a9daeb3c42cfa3d92df0fcb71b1b9ab00577afe165c539e95f26cba80958b74140067b93deb66807de60f0d533e232ec49d0a28b798f6d339037c69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\naxjrdow.cmdline
Filesize
309B

MD5
41e14e711b7f86050fd07476d1386c85

SHA1
abd3baa881af35f61b7d38d39ba253cb280fc525

SHA256
841aa4d7254099d1926bd63e61b314f8748be65c5030324e684c4227e5249e45

SHA512
c21ac83cf40308afe65ef38e38974a2c54511faedb054995b3c58442f87b72a7ce8d9ed3e0bf4e7bbe4c6c19ff06cf16a5532a3e8106e9207133129718ced330

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlnz3t23.0.cs
Filesize
2KB

MD5
b1f397a0d765a49ba2554b815326cfd7

SHA1
511ef931b96f19ee08dec8763b606701147244a1

SHA256
d39f9608c7e9805f327550e7cd98ed2b716dc2a4549ca4123215fe5331a9b36d

SHA512
f34a8edb867d39f0dc53de1708a65570d1fd2d0a57e5908f3a222f0edb77d65f719a491b93e697a0233cf9a443c2387cb34549264befc100bc6a2d436cd0b254

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qlnz3t23.cmdline
Filesize
309B

MD5
86affa89d24fd54c47502fdb30809878

SHA1
a0cb859be4dff3e2204e7b2b64190ba137431902

SHA256
f8df701907e77d2ea170b32dee85e1a19f4eb9397f1166a604f7d55c3e29a291

SHA512
463bd9274935ac9c4a875a9ef5c1e67a9a5b14ec1ef909936fc3fa1fe70e05728f531774a8b97260a1bebd50cd8440c9b6c0894f7c45a1d928c30808a1bd1fde

Download Submit
memory/924-63-0x0000000000000000-mapping.dmp

Download
memory/1128-59-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1128-58-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1128-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1128-56-0x000007FEF39D0000-0x000007FEF452D000-memory.dmp

Filesize
11.4MB

Download
memory/1128-57-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1128-55-0x000007FEF4530000-0x000007FEF4F53000-memory.dmp

Filesize
10.1MB

Download
memory/1244-76-0x0000000002B70000-0x0000000002B82000-memory.dmp

Filesize
72KB

Download
memory/1244-78-0x0000000002B70000-0x0000000002B82000-memory.dmp

Filesize
72KB

Download
memory/1832-68-0x0000000000000000-mapping.dmp

Download
memory/1948-71-0x0000000000000000-mapping.dmp

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads