Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 16:18

General

  • Target

    2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe

  • Size

    69KB

  • MD5

    80372de850597bd9e7e021a94f13f0a1

  • SHA1

    037db820c8dee94ae25a439b758a2b89f527cbb4

  • SHA256

    2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8

  • SHA512

    f43db3569ac60d6ed55b9a3a24dcb459e14b0bd944e9405a8cb2bfb686eaeff31c82ffcd6c477d6a6affe9014ae8ed7d8af174e8ceebbcf00b64ad293901a77a

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+Pd71vb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3F7t

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\MF\6434F2-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .6434f2 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_6434f2: 5tM3CAN7+Yvf+6PiCm/Mex9YmJP5r9iB7bV9uH9IeA/ToORH5z 3Sqi1ifqjZXJhP2oEUeKLBTvIzlF3uOM7kWWf1R9nNeokQAg4e DSFCDI++Z+olDGS6ya0StTaV5zXXDSYZsRJJyMfJBsrB4IsHI1 1tjYLIDYim3gZg3VaD4zUD93QgyOADiPUMAVl9zIBFC6OdQ1jI fnCk1oOjs9L86ambtMnCECppxBiGLjouoDyVdmG2FF5n/r6Ecc lCt0vO1pCUdB5TH8S9mV07FBbgR5IEOkLQA6aW4A==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe
    "C:\Users\Admin\AppData\Local\Temp\2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:5044
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\6434F2-Readme.txt"
      2⤵
        PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\632E.tmp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:13420
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 4868
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:7152
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4804

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

      Filesize

      3.3MB

      MD5

      f5e0d666ac91cee75c0885ce022714cb

      SHA1

      005625b4ba8082b9814dae7fa8a39b10f0d21454

      SHA256

      00b3dff290def1ff1aa513fd6b4d684f4ef93251bc4a63808586f476d2aba463

      SHA512

      a48e40c5c9adced0581c45deb9e52efac2a704681612270f41ea4abcd840c37d8fdef69cfa3ff5b4e5b2ac82e92b4903a503d2e99c46d4e6e13107b59a94293e

    • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\8F275DA2-5DF1-44E3-B319-427E26356EC8\en-us.16\MasterDescriptor.en-us.xml.6434f2

      Filesize

      28KB

      MD5

      9ef09d690cf42c9523e013e801977a98

      SHA1

      6f6e2389b96e1ea6b2b7501119337473abd25cf1

      SHA256

      451456a9bc1efac835f17ac09e868fd477d4f6b5de46f6c2f3f6ea7541f585fb

      SHA512

      f9be6d4868dfd3cb5d35fb205dc5475ca9ee03f90f4b4b1d40b3ad6080f51cae7ffc5a765bb9159904d444137d97729231964c8390a9bc606a96c6111063caaa

    • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\8F275DA2-5DF1-44E3-B319-427E26356EC8\en-us.16\stream.x64.en-us.man.dat.6434f2

      Filesize

      623KB

      MD5

      44aeac696bff2e1c09f5c34d5459331a

      SHA1

      631c3dcf3f6be2d1d5151ab75bbd68a05783e8f4

      SHA256

      02d87477b89d013878477982d6ee39609ff7e9f9ea96f10e26ce75c9c4202ddc

      SHA512

      4848e135f8e285c9156300537a1322e652e44c26ca394ca6736a77236cae68a6a295ee9ebb79e71009b96136c38fb58e00433d808eb2e80258564109cc22667d

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.6434f2

      Filesize

      93KB

      MD5

      de38630350e6a79671d090f02621336c

      SHA1

      83c763b48fe408400110cbccedda5171cb8e1bf5

      SHA256

      97e71b53479992953a1f865127ba21181be7273f6dc5f40e4ef6eb51b8758809

      SHA512

      ab685ff6404313b394b88272addbb65814b57cbd9451d20438799305e76366c906654381aa14832306e8188cc997fbc3b31aa76b6a7a0fe1788dd9f979109239

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.6434f2

      Filesize

      1.1MB

      MD5

      4589cbaedc052d3962c532d8f7347439

      SHA1

      88af2be699f56cb260164eb21d0d530b7c81328d

      SHA256

      8f32a72f8f4c6cf533c73cdce4a549c8fa5e19c575c2535b3cb69d64bc1fc099

      SHA512

      88006fd758d3dc7b61175c4e8b723f57c3a3548f4e37f14af8d86fda5e94c8510078e638f959ca8dcb377332d3105f30e1a664082f416628c1ab0b5538c5dc87

    • C:\ProgramData\Microsoft\MF\6434F2-Readme.txt

      Filesize

      1KB

      MD5

      385561d95ef07aa02bbe9362a491d390

      SHA1

      2f3003e0c07f33cee1657f4a4465c64acc4496ac

      SHA256

      114fb026887196148134b6fc83d42865510cb47c5735a9402b28a20bde48b67e

      SHA512

      203175903af4de7c0c47af16353f3c9c11b0af9b0096b516e9daebc3eb4d9398a9bf5291ec3be9fdede1fc1f41633bd514f452e8e794ab01f5be6ed3430cba3a

    • C:\ProgramData\Microsoft\Windows\OneSettings\config.json.6434f2

      Filesize

      5KB

      MD5

      1c90668bb41b965d307ca4164c5d4412

      SHA1

      8348b3100ecbfc526ad4fa2543056677d8376cd8

      SHA256

      61313bd26441737991e79117a62bb8c605c2125e59a3e93db519d4e04ea3f8c7

      SHA512

      83e16bcc31ba03412a7435e55bb00d2118516986039f7585a81a2c8ddc678ff14ba2d8fe1e84c1eb0cca3413c84fe84c37265de4f4a1a361eb30f873208b4384

    • C:\Users\Admin\AppData\Local\Temp\632E.tmp.bat

      Filesize

      141B

      MD5

      c02faa9c40262380ac5e62b5d2672086

      SHA1

      c11ea7166be18baa4fd395cfc6ab308f1439354d

      SHA256

      1f7dc90dd1c51e480547b2c6abd82f4133457b5fa9903f7bc5b839e2504632a9

      SHA512

      243d9526d91d0fd634635006947139f90321145835f19ac1789b5b1bb4a514a204d1eb13e04646e6bed3fd303592c34e9c83416b8e95a8b4f07918a0a217aacf

    • C:\Users\Admin\Desktop\6434F2-Readme.txt

      Filesize

      1KB

      MD5

      385561d95ef07aa02bbe9362a491d390

      SHA1

      2f3003e0c07f33cee1657f4a4465c64acc4496ac

      SHA256

      114fb026887196148134b6fc83d42865510cb47c5735a9402b28a20bde48b67e

      SHA512

      203175903af4de7c0c47af16353f3c9c11b0af9b0096b516e9daebc3eb4d9398a9bf5291ec3be9fdede1fc1f41633bd514f452e8e794ab01f5be6ed3430cba3a