Overview

overview

10

Static

static

10

2520b15068...a8.exe

windows7-x64

10

2520b15068...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2023 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe

  • Size

    69KB

  • MD5

    80372de850597bd9e7e021a94f13f0a1

  • SHA1

    037db820c8dee94ae25a439b758a2b89f527cbb4

  • SHA256

    2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8

  • SHA512

    f43db3569ac60d6ed55b9a3a24dcb459e14b0bd944e9405a8cb2bfb686eaeff31c82ffcd6c477d6a6affe9014ae8ed7d8af174e8ceebbcf00b64ad293901a77a

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+Pd71vb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3F7t

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Libraries\507414-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .507414 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_507414: JmVIcUZJJr7VFt2CWHoOclbsQyiygJCmHHfDzfzmgVNvR5+9ac 64yyP9/5Q151EHCfq7CIfPSQz6t+/g33zINrnBRNj+EzM+Ag4e DRDJnVigdduvrlGX1ACuDV/hA+QNoZju2ijtkmoDTnX1RwL0/x EJevwUP9FX12e8jyTm1zubpyu3TeG+GCkC3fmhvHjxDkOayYHi 1XgujEJkdmSiUTlN9FOZXhUtGIjNfpBobKtOgtziWzS/wVcoGr +iOoLIfC0udvoYOyDR+WqXSDnQ+aspSd9LT8MNCA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe
    "C:\Users\Admin\AppData\Local\Temp\2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1436
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\507414-Readme.txt"
      2⤵
        PID:7032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2A2D.tmp.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 1476
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:7852
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5532

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll.507414
      Filesize

      2.7MB

      MD5

      4a27bbc74bf451fe05e44d788c21a5cb

      SHA1

      2a9479388606e4734dc75aef7272d98553a9796f

      SHA256

      9a46d695e3be1f8165d87e8e6c86b01a9baa86152c9125d6538afb6cc6338a85

      SHA512

      d9fb9a7a54f766e387ea6142aaf4805968bc8c3da6f7612d46413d8b6bbb349c77f3e7c91a00f1dd04be927a9296f0c5576829b8be62ecc706946b98aeaedb11

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\ONINTL.REST.trx_dll.507414
      Filesize

      246KB

      MD5

      c13f94336190875f0489bfabf4f2cbc4

      SHA1

      675f92e305435e4020c38c641b127b7c9e3443c8

      SHA256

      f87c7b630a30b64af69800ca6fbd92b9574c7b1749eca003737a19dfdf735b04

      SHA512

      4f74061c0939215e0f3f1f452ba77c63558858d5acc19545fd1efbefd68ef64c3ec42a8c365e6b9ee14a6dbc6709bad0ea1ff454e3d27138a5fba38f5ea08bb5

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.DLL.trx_dll.507414
      Filesize

      214KB

      MD5

      a74dc1fd5ce32781619a73b511e93f89

      SHA1

      e64c85b19d578db738be28dfc52e503e4dc0439e

      SHA256

      6dd5bd193fe905a8fa0fc23dbf1bc8560c991f9bdc8a17ec45b37142da3dd3ea

      SHA512

      0ec9180af903695ed0c0485cc6836c81803b1c8cb2c5cce4b8b656df765b2faf291dad567c72b73ac1fb5c47589710f82b1b29cecfdc2f8c8f61e2facbf90be4

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.REST.trx_dll.507414
      Filesize

      637KB

      MD5

      babdf3eaf667c25fc350a6369817dd4f

      SHA1

      616b932746768421f3e1054211259b9195a0099f

      SHA256

      301a801e0948397fce50364e38a4f8eb2d582ca7aeb54a9bd2ad4551b03db7db

      SHA512

      12514316778525ff922ffdb05a38c51254cfaf795269bb0d32d702504afd11c5bc957cb8084fe2a017cd9be4e1ba767e0600b6d10a60baf7e192cda10c720996

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\OUTLWVW.DLL.trx_dll.507414
      Filesize

      11KB

      MD5

      d95f3e967035fcf2787fc76109e9faa8

      SHA1

      c07dbf64586410ca4c48cc53e7fcee78a3637cac

      SHA256

      6a79d63b38360b8dd98926832ebc41b3359b1c9e24473e335fe4803028217137

      SHA512

      443b258ccd3456c7a140babe96fc633977a5f233339915f899db8f4d4d7a5beb3d63c1ea90700d50acfae0a2e69f1102a88b3fd95d98dca68a24f20aa105ce95

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PPINTL.REST.trx_dll.507414
      Filesize

      269KB

      MD5

      2c6034b8590b0aefef7d3d8eba8af008

      SHA1

      23693d0f6c1a0e3dfd2f55f3cc82f4defc7a0fc4

      SHA256

      c9d9a2269761e29621a5251d97dbdffc36a60d3675678fdc3f0c301e7f6e37fc

      SHA512

      5c4f241d10509c687574def9de64005e6d953e3c84e52b142cc888e41a31c464e01748ca0759e193942c463ecf56fd7e5af844b8b2033d7135f085e3baa0c3d2

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll.507414
      Filesize

      544KB

      MD5

      5207aabcb61941bb1502369f5ab63180

      SHA1

      cb355cd5c89a55b8d05148eef4b68fb238df510c

      SHA256

      11202840298f752eb2b15386f9702029525b326fb7a53915fa9ba7ca4c854381

      SHA512

      d34f11e856db8b259cc645e1da74f2a5be586f23ec1cba3e876acda0919a9a3119e70d8c4c2daab0334a8d64314b636a9d7f5854e3727922f20a4a8b94061805

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\PUBWZINT.REST.trx_dll.507414
      Filesize

      352KB

      MD5

      cd3225d6a9fb80097e7864ecfc921b60

      SHA1

      cc018d83ddc141d8e7ce069ae35a1a9063ff4f71

      SHA256

      2ace5b86d9d564c0e64f103ab4aac837ccbafc36e6455c5e631a10d80ca61399

      SHA512

      ab43451bb00e4f937893ffbd8fac35f6ef1c9cd74041a3ceb9ffbafbec496032956de325279966a8879187d2016f875699fb047cb67a93d417387044934a0b90

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\SGRES.DLL.trx_dll.507414
      Filesize

      13KB

      MD5

      b2ea78cf0c4ed67a5c29711db8ab5fec

      SHA1

      b8b1aee2a42c220df05245eef32347631b65daf7

      SHA256

      a5833a2a779dcc1f254c1d12ad19390991a68b6ce2b74a68f3edf63b7217a3de

      SHA512

      b1c29cdc2f0684df8d9374ec47bfeb7df970fd6f9a7dd05ad495fb2ec30d5e6b26bdac3ef43347d4218f3d9993854a274e9b88a145b9249390457b83ea725e66

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\STINTL.DLL.trx_dll.507414
      Filesize

      17KB

      MD5

      c9b5f9a2ce4f7e54982cfe1e03fdc0af

      SHA1

      7868ad518bc4d898b661e1021dca5d6927275ce8

      SHA256

      f5fb1f7aab8a88e6ce2bd8577156aa291177b7b72a5102498b514c8e47771477

      SHA512

      76b750ef843153a8f7d44026b6760c6d6483b60365ad54d875ee62e0bd3386249db8c730aa8de667937526d1ff5257d6e7b66dc4649c817fd89969a7a300d994

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\VISBRRES.DLL.trx_dll.507414
      Filesize

      26KB

      MD5

      af26f6424b9f3c0036b27357e99a1015

      SHA1

      30a4cd695f27ccede0ffc8b8846f043b45d22955

      SHA256

      34c00ae2374f64cdfdffbd46ecb66affff037e120723aad99f18482d36eca0fc

      SHA512

      38af12c97d85bb3ca12fceaead44ead92466f23a8f761e363089432c5d9c132c9f2550cb361e43c2584db256dca1c68cfe608e3dc4fa76b4ae58ac17c9720c6c

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\WWINTL.DLL.trx_dll.507414
      Filesize

      145KB

      MD5

      d0e77cc25367b920207386402295339c

      SHA1

      bf2df6d14d7501e5cfc184b5bdbb176251584f6b

      SHA256

      372c86c4d40035155143365566ecfe8f98754c53124a009182e48b663ff64cfd

      SHA512

      c9d4edc378f61b0b2a42aba1076f2b22ca37a3853f983e27a96492f25b7e47a7ca0ff7360a59c923f4f1d21a0745e5c2ecb9e148c854c6489fe4261e7f04ced3

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.DLL.trx_dll.507414
      Filesize

      142KB

      MD5

      6e24c1e72fad8a0b1c32abd542d5bcfc

      SHA1

      4af83f859ad7bd299e3c1a44a623899b9488324f

      SHA256

      1fd0ed81fdd6079cf50d919d4d906d267ebf1b12951d80a1bb0dab16208c84c4

      SHA512

      214c6142c8d7e1b200a3c113cd90dc216bdb57f6331fbecc6ab5ea38073c4ec1415fd439cc659c1262970319215409d55380ccbe55590a2a6ba6727ae73af707

      Download Submit

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLINTL32.REST.trx_dll.507414
      Filesize

      1.2MB

      MD5

      59e96ca52a42b1052f3ad0cc6b08cb88

      SHA1

      2d876f755e39f9bbaaae328bb625e64f883ce409

      SHA256

      9f08c624602d91b91f07d9f63e34620579461a97dd528d04c8aa2e3828d0de0f

      SHA512

      ac4fe7baee192024db8dbb3e18c19872e54dc03ea7f9c59823d6456af5b0ac733e4fc11c7e1ee1b697b16f6a1d47cc1c2221ce1ebe5c9697f5b89aee1b53d859

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2A2D.tmp.bat
      Filesize

      141B

      MD5

      1be7770680b07a2fa0e2b307740a0f67

      SHA1

      8209ad43e896026542261bf81549e0ae9e04cb31

      SHA256

      2eb359ed9932c73549b6e67873cb7b61815db53a29671a0d5fccd0316e810358

      SHA512

      199a6472fef61ca5f3755081061c4dc4e2853ab6b723d9a519368bfa0ecc08c9cfab089195b14e649d9d8d7d54d156fdd20ecad79be6e7beeb971082277854e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2A2D.tmp.bat
      Filesize

      141B

      MD5

      1be7770680b07a2fa0e2b307740a0f67

      SHA1

      8209ad43e896026542261bf81549e0ae9e04cb31

      SHA256

      2eb359ed9932c73549b6e67873cb7b61815db53a29671a0d5fccd0316e810358

      SHA512

      199a6472fef61ca5f3755081061c4dc4e2853ab6b723d9a519368bfa0ecc08c9cfab089195b14e649d9d8d7d54d156fdd20ecad79be6e7beeb971082277854e9

      Download Submit

    • C:\Users\Admin\Desktop\507414-Readme.txt
      Filesize

      1KB

      MD5

      04308244bd6c5aefe7d0131366d5c7ee

      SHA1

      e429ebd06a7aa2c92ca32dbcd406575d86735618

      SHA256

      8d4e4ea5991d6d569e62b337290d614df541ebd8e9a83442c70f0b30df3f278a

      SHA512

      6744a0d06d843593d7869fa6b5afad1d2171f53eba48b87ae47b339d77519eeed00b7988b35ad273430da2c82b1cde833cb32fe7c0b27624980f90b394b06497

      Download Submit

    • C:\Users\Public\Libraries\507414-Readme.txt
      Filesize

      1KB

      MD5

      04308244bd6c5aefe7d0131366d5c7ee

      SHA1

      e429ebd06a7aa2c92ca32dbcd406575d86735618

      SHA256

      8d4e4ea5991d6d569e62b337290d614df541ebd8e9a83442c70f0b30df3f278a

      SHA512

      6744a0d06d843593d7869fa6b5afad1d2171f53eba48b87ae47b339d77519eeed00b7988b35ad273430da2c82b1cde833cb32fe7c0b27624980f90b394b06497

      Download Submit