Overview

overview

10

Static

static

Netwalker.ps1

windows7-x64

8

Netwalker.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Netwalker.ps1

  • Size

    5.1MB

  • MD5

    b1f0093b89561c6123070165bd2261e2

  • SHA1

    aac57162dc1311f07a869f7163bd30e0d62dcc0e

  • SHA256

    f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be

  • SHA512

    637b40a33fc8e5d478128242f621ceefcb158b1d411898fbf4bb2e7352fd214befd58c308297108d631d5b4e4b44f953ac51676b02ef20e8de9dc122ef0ba797

  • SSDEEP

    24576:3lWHR7hoxn6yTYo1oc8UcMIh/MuwL+zn4ltC3O+wXCwNLaLRcfIAM1Bq9p0IQWwS:l

Score
10/10
netwalkerransomware

Malware Config

Extracted

Path

C:\8A40BE-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .8a40be -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_8a40be: hPSUOPeh+60oxcNagMRrdfW4B938lqCKvZgnKxCqjb99bg41OI 1p7iSNNibeIzuzyY/xr7Nevb3LaitQrsiMsuTY7cXwzgdTL0Sb SBr8FtQtltGFaOdxfANhgBq/VVK4vIhhnfkXLAJyXEwISeU5wt 1Onpvp7i3zqO3HNI6/n/KHHF/zKD623hv51YyzMz3QHO0081XI 5Pyl7T0Gtw0E++Rux9Msg2rt1I30cVFEvAb8tr2fZ26+pSc1N9 QyyTsfjMq4UmlhMe5MsaQ/qGUliV0zwHj0bHTUmw==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Netwalker.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wprjvflj\wprjvflj.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB22E.tmp" "c:\Users\Admin\AppData\Local\Temp\wprjvflj\CSCC154789D510843E3B2507B638F689A31.TMP"
        3⤵
          PID:440
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l25l55ui\l25l55ui.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB318.tmp" "c:\Users\Admin\AppData\Local\Temp\l25l55ui\CSC9E7500CAC28D48D8B3A59EFC4889C245.TMP"
          3⤵
            PID:3056
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Modifies extensions of user files
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\8A40BE-Readme.txt
          2⤵
            PID:228
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4828

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESB22E.tmp
          Filesize

          1KB

          MD5

          623a399365e9abbf5e585025e9431f71

          SHA1

          d6be49ec471a8365be07902a7dfea1ed9bbe0a7f

          SHA256

          f0ff62dac8217d5ae6e38de5fcafe74aeceecd4b5e1ab1489915e2c4455e23cf

          SHA512

          93443fb1057c1490c6ea1ad59ed87dcc0275a8dc71b2185ad18036f152cb76286d6eb2e188fb76da91273be022f89acf5bb297b10d25524250cda497e8995303

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESB318.tmp
          Filesize

          1KB

          MD5

          b65b101967fb497dd7636499ef396d6d

          SHA1

          067828610b6f1415b71dd426fee121309e98f632

          SHA256

          ac8f987221bce6348ef9ccab3b143cbd40f60038af8d27f7135bad23b8088535

          SHA512

          04a86a90ec07a68242eb9de89ec6ae31d3334ff9e048c3c59f47fab44f8c1e0f7bd23d4163da4070a471dcfc9b3a2f7cb835d510a9904e1e9457d01c4028f0ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\l25l55ui\l25l55ui.dll
          Filesize

          4KB

          MD5

          fb1a5a74b558e122e3f3357df368d051

          SHA1

          d46664e56412dcb10351b5709a936b8b1a6f0564

          SHA256

          3a58739de3ff4af78551ad56c43c906d143ad63adf7034875f9cfb842406b6e8

          SHA512

          c283731d7a740e6c671b8ec2c5f7323acec373dd9b854662a4b56d4dc4efb9b0f5bcf75f0dac92a6a77e172f558897622b86dd2585c414f552039e1abc5e19cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wprjvflj\wprjvflj.dll
          Filesize

          6KB

          MD5

          ac62dc0019fda3338ac68a369850aac7

          SHA1

          c8862b0df1668fb6c8e2255069fef7d716e625d2

          SHA256

          9149c3ac6b8adf8cde907e31b160e3000fb903371e0ffe54b87c7cae63b3fe2b

          SHA512

          c1d6187d2fe17e83ef4b9b9824dd9e6baab3a0b5d2950ff48dd79a6952efbb2e373b79e5f50d0fa21d81b9c5b07f8da810c29f0590d8c6c1ac65380bd27c1d9f

          Download Submit

        • C:\Users\Admin\Desktop\8A40BE-Readme.txt
          Filesize

          1KB

          MD5

          1077e7d8ae32d29363f372df755227f1

          SHA1

          e62f41b61dfb7fcd851ff4aa28cf9e5081fab6c6

          SHA256

          0dbdc2d808c3786cf955ce498f30e09b7b29fd731d462e7a8a72486b2a4abbc4

          SHA512

          e8df03c57fb7a700bd254b04fa99bc360dbc47898828ed37da126bffb5de65c6c3bb9b0ec6e70e98e949d5874e0f6efa5189e53d217eaf97772af3aac17b7748

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\l25l55ui\CSC9E7500CAC28D48D8B3A59EFC4889C245.TMP
          Filesize

          652B

          MD5

          72603380ad3305f0aebc40a807dd8f15

          SHA1

          e5a702897a5e0f8fe0103d8d70dbc2fd6329cd21

          SHA256

          72378e6cb46a434ccf50eec6d991e00f262414652bc67020adaa09b694d39026

          SHA512

          7a3391835868e13d808a760c31e13ed9a05600c008919759e3d49a26815281f656ba6f7a421e7618c9d061309bd925eb79a07da6f7a819ead2e75c8e8f975ad9

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\l25l55ui\l25l55ui.0.cs
          Filesize

          2KB

          MD5

          b1f397a0d765a49ba2554b815326cfd7

          SHA1

          511ef931b96f19ee08dec8763b606701147244a1

          SHA256

          d39f9608c7e9805f327550e7cd98ed2b716dc2a4549ca4123215fe5331a9b36d

          SHA512

          f34a8edb867d39f0dc53de1708a65570d1fd2d0a57e5908f3a222f0edb77d65f719a491b93e697a0233cf9a443c2387cb34549264befc100bc6a2d436cd0b254

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\l25l55ui\l25l55ui.cmdline
          Filesize

          369B

          MD5

          b2cd769f2a240ca2a6a1a634c46d69ef

          SHA1

          82e5b69a7a7b02c67a6080c0e6414d70cd7171d5

          SHA256

          bc02fc231c314f2637a703a7bb749d6948383c6362bdbad11ad40451551c871c

          SHA512

          dfcf3d8549efda7525ae144821a76dea7131bfbd5fe5b734173fad9899ebe308fa9fd2366944bc6b97d5763da7b58868ce57166012ddd7164de4013edb78c0fd

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wprjvflj\CSCC154789D510843E3B2507B638F689A31.TMP
          Filesize

          652B

          MD5

          a035aa59646c46f89645e974bcbb7f04

          SHA1

          c771e385f2f024e277a12a6b0ca960b3352b369d

          SHA256

          98d47aa094d05985b61c985644489697e061c60270b01611422e583893104a05

          SHA512

          5ce28c0b094ae9ced117b0835ada0660bf7e0536faf4e0e6cfcccb4387700a4f2a5151e87ddfde182bd6c32cb7596388a820ed1aecd0d8c82d12bdc96ea768c2

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wprjvflj\wprjvflj.0.cs
          Filesize

          10KB

          MD5

          220274c8b5ea2af3a7c625d0c4985fc2

          SHA1

          2f5228308d3808946552e53ef5b9829b8764b741

          SHA256

          b00f4040bfc94627cc06e351d43d4b6fdaa1161b20b702956b564e18c3a37ee1

          SHA512

          da40fd6d5a9daeb3c42cfa3d92df0fcb71b1b9ab00577afe165c539e95f26cba80958b74140067b93deb66807de60f0d533e232ec49d0a28b798f6d339037c69

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\wprjvflj\wprjvflj.cmdline
          Filesize

          369B

          MD5

          d4af91cee635e843a19b6cf3ac13d8f0

          SHA1

          fb9dec4bb9029f86b12e852587723497709e8c4e

          SHA256

          121ce0799d2c3f411d526712553d1665c8fd12d6b3a8f91961415b0e0580f488

          SHA512

          c2b5dbf2dcdb55c7910368208f047c2afea5b993f8bdb09a74983969910c180ebf27b0537d9b1ee367f637bc48c5a650eaf708433bf6113bf06ac3ba21197e5b

          Download Submit

        • memory/2432-149-0x0000000000790000-0x00000000007AB000-memory.dmp

          Filesize

          108KB

          Download

        • memory/2432-150-0x0000000000790000-0x00000000007AB000-memory.dmp

          Filesize

          108KB

          Download

        • memory/4876-148-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4876-151-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4876-132-0x0000016394DC0000-0x0000016394DE2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4876-133-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

          Filesize

          10.8MB

          Download