Overview

overview

10

Static

static

10

ddb5fdd76f...48.exe

windows7-x64

10

ddb5fdd76f...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddb5fdd76fe638663422dd48b218a048.exe

  • Size

    1011KB

  • MD5

    ddb5fdd76fe638663422dd48b218a048

  • SHA1

    7d22a562f6c0eea916389ca5ff202ce1b96d00ad

  • SHA256

    47255c3ad12f555aff1e23aafa87e37693e736e8e6c989e4766426587dd252dc

  • SHA512

    eac75bc0914fbef36bb41355dcbaf30a46c724a32cf9605188fcef40a29ff43d9fd6ca51ec33db412c59e747ed9bd12833c797021560d252810085642286a4af

  • SSDEEP

    12288:GSCbvRebCWcQ95agaB/0qaZfakaaagMaOamaFa6:LevgZboGzdgtdmv

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\MF\1BC932-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .1bc932 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_1bc932: CFmnp5HqNAWl8UYgZjnoblqQmH7lG9rxDK8CT4ptG2SVsXrMXW rHWb/CFZ/A6mgWqHK6z+RbDuzgxQXVFjLM1X9hCqaLI8tQNp6R qpWnZm0OchLGjDD6h4O9ygj9afu3UEla3EKAIFiVsUkBOLBsQQ 64x+drwhCEtMXkXmkBXvQK4A23lwPy6LnLpKcLvsjv/a8Kt+iW w9Zm3BqJhmNq0oJJhLUkzduEa0qkPgDVgsqPrBXYpErhH5sHKz Rs0C1G4jcuoiNdEkl50PhJUsc8/9U8kIsg/a8h+A==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (6690) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddb5fdd76fe638663422dd48b218a048.exe
    "C:\Users\Admin\AppData\Local\Temp\ddb5fdd76fe638663422dd48b218a048.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:4356
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1BC932-Readme.txt"
      2⤵
        PID:9076
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\30A0.tmp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4360
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 4588
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:9908
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:116

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
      Filesize

      3.3MB

      MD5

      9ab9cee54b63218d81cae446c471f404

      SHA1

      999b9190fb8ce44c327ecaf34a78994adda93a5d

      SHA256

      2bedeed5df452a101c7160eecd22ffae2f6e472e9a587c0228be8ef99bf5dd57

      SHA512

      40d14604e94cf1a0c625ad99da93966065f964ae7a82021680ed6994e56536a1a82305289e4d832df2ad3d6ce6316c758f117aa2548f055f4dea16d9514ef0cb

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.1bc932
      Filesize

      24KB

      MD5

      94f32986c24006fb588c4e9962558ec1

      SHA1

      d4f44e765201362fb60872604f455352bfd58e26

      SHA256

      f73f022ab207b4f9b36773343b8511adec85320b54c54d0ed4682861ad3da162

      SHA512

      24ac2a23c4de41ce9b84fe3965a03d359a92a17d4b2411297dacdf055bed755be3df629bebf8fa9406ac9028b6d5cdf496ac02f101bb682bd645210d6923069c

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml.1bc932
      Filesize

      2KB

      MD5

      45c99360bf114239026b99af712a8dca

      SHA1

      445773e401f457302281fd11ecf0a068cb1444a5

      SHA256

      34de81bb684c785e6ed64cf19dd30550747d46cbf653af7d99c1cde2778c0ec5

      SHA512

      0d503d177dd03e85f71e5fb823383a5d67a9179f70a50b8f451d158a7c9d8c28d18ebc5ba6871e223cdeb05791c7ad90f1db5a760ef0d63a8d774c176b46cdad

      Download Submit

    • C:\ProgramData\Microsoft\MF\1BC932-Readme.txt
      Filesize

      1KB

      MD5

      bbd5a617856ed4c66b8d48627474ee40

      SHA1

      b4359e2ee4b2f7158a4573126c68a828c281c230

      SHA256

      2f326cf770bf0c4d7513335a66efe722b80d68cbf9dc635b99f25a99d75663f2

      SHA512

      eb89d281e588b7c77b6c6c8f6086f3e09a6d5d6c0914fcffe1eb3568942f560e61715fee88e6829c5c1740bac348a1773deaf67b0e286d8486b0149e711d50d1

      Download Submit

    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl.1bc932
      Filesize

      1KB

      MD5

      41e7715d0ea27d06519d768145f7f030

      SHA1

      77798f39128fa31d36d6882ef046ab8fb732803f

      SHA256

      9e98c1f9105cdbe035dd3a0321ea96ae6871978ec9209bea13c7e8edd878e488

      SHA512

      d439de2eefd3418a130d71080c81894ecb8f6dd9cf6077fee689225d5925cf72647c1e2f4bb2159c9eed51e9c6d55c27bb551304af4a0d9aee0daf80fecb1734

      Download Submit

    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.1bc932
      Filesize

      506B

      MD5

      d8c8f3f12eb5c4eaf05be6f78549b508

      SHA1

      d7b8228b55448db2e900ff11b566533b6da708bd

      SHA256

      6168949ac6ed0b0c7812abfbb4bc0b5876836c8b5c2ebaf44185da008a4c5cb1

      SHA512

      cf199ea1ed052d909df14a63c90485ff1a53677e27aab0680f1a0d355082df8d7d095b42577fe30ae637fe5c6201a7841bd415bb9c2210674c5ec1400fe69ae4

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3c8c7eb3-7a1d-7981-0472-571cdd1d1292.xml.1bc932
      Filesize

      3KB

      MD5

      b0c27ed117ab5aa1dee0f833b9ac3ae2

      SHA1

      61dbcd1a1c1274640bf69063dfce8fdb9f9db2f0

      SHA256

      17a1d9d811f155e2814f4fdcf5b66544f2286728a43c3c1b0309f9ee532a3688

      SHA512

      adabc9fcfa8f348c9905a3c9fdc934467f6545a04c27254ff5c27d05170df006d2b5af99411be2d5147fb258d54b68dabba80ebbffa0117c4949e5cb216e2782

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e2a686b1-b02a-b3e7-90cb-3fa0d708ce04.xml.1bc932
      Filesize

      2KB

      MD5

      72235b180588c382dd39f8e558e6943f

      SHA1

      1059363829b507d7d2f70ad151f019c583a37a94

      SHA256

      2f5694bb45947502838567949797ab867b9f3371ee6d07d56426497ef6cdb78d

      SHA512

      f419e496d0f1d66c537dde9ad22928e600c30dd7368e768a3e0cefa10ec48fcf50825d8748aa1999c04d92633b2db7972f275d2a042fecfc32640706fb357fce

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml.1bc932
      Filesize

      3KB

      MD5

      ad099ff02eb064d3597d18605d0c4fc1

      SHA1

      ed5a7ad5101dfd0ac5c212069bd563bd3326e6b9

      SHA256

      8f378470702a48b81be3e44ce3b2a7043574d784a7cac9978cc19ad8fd0e1709

      SHA512

      4a0c5848233660b0c01c5dfe8c6228549d97ee2a53a308201616f934d040912676203ceeffa5fe322af31eeeaea58a99aa5ccfa6218456a03212985165a30c8c

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e64ffef1-e246-b632-595b-56076a3fa776.xml.1bc932
      Filesize

      2KB

      MD5

      525e78d887072156c13e5a59c08791b2

      SHA1

      371eeec279e02e91606f175ed2ee3de8371ee163

      SHA256

      121f52c6ab51475aaacdee295dc02036a7f8157dcfafe3261f6fd166e0a229aa

      SHA512

      0b0a4c30c3838edfdadf54c5d7117b5f1cc9c968d0edef55ce8427460369859417e56a422258e01fc5d9f233ebfee99fcf67a53764192b48b69189a506e2741c

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml.1bc932
      Filesize

      2KB

      MD5

      2a7d6222f595e84b749a403fd32e20b6

      SHA1

      fce9e7235a24928557b9cfe9cdf270f17ff2fb3b

      SHA256

      81d1d7c6f0f4e4a5fe91afb673d2ab2e5ba6000b1da37a4e053738c564dbbe5e

      SHA512

      9e2a90dffb7afdfb234c492b434771099f1bb64e6904e233d6d159396e621d06578e2ab82758b95b467ce8d4e4d31bb2f9008d0940e4f86980746485c221e9f8

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e8fff2df-6041-8f21-3df7-db31661aa09b.xml.1bc932
      Filesize

      2KB

      MD5

      b78fad2e50a6f20704b7c8c4bfb0ed86

      SHA1

      1cb129515ed4ca4d55ae67acd793956f478565b8

      SHA256

      b26bacf4d47b567c2587ed5efbf937f8950090f6640653c8dffd8b0b699fc91f

      SHA512

      35af8126b98da7e176001b1aeca6c222c3ec623a5e9008d3ded1e4eb8954e4c9134c43822631a16156131d420b0a28c31947a871cbf22500d47672baeabc3697

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml.1bc932
      Filesize

      3KB

      MD5

      a5e140d298d1e67f31454497396bc107

      SHA1

      66aec4f8e6d2f90ca789ef9ef35d62c494d4b288

      SHA256

      f92c150923f7b7af72cbf7af356b1c1d09e981e46691975c4f42338ad3b1b953

      SHA512

      cc212ffbdd209fa4a158374147b7ee291a3d793fdb8bc14bf87eef17efc7a85663deca05599f07bfc80243d03a6689c8fb8ca4b863b2c8ab0eed12a380a8dcbd

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\eee47229-947d-2ac7-e8a3-49bafee251d1.xml.1bc932
      Filesize

      2KB

      MD5

      6555c40549e2e82392f7642f3f5fa2ae

      SHA1

      94d4814e3bb793cd79a4e5c3802c670f3d0ed645

      SHA256

      6c89bd91b75ea7cee486566896a2976a1b8f30a9b177da4e3c98362c7779a5f0

      SHA512

      ddfd054fa993a510b2ff4ca9f647317f3fef672a0b5428a814bcafcee26bc6737eecee968d007fef5ed8bc4ec50aa92094af465b0e01998b634e1fd948e49621

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\f1bb69b5-a7d1-df8f-5820-49f387fd5d2e.xml.1bc932
      Filesize

      3KB

      MD5

      e391bd5e5ccef8e212a6541080a66191

      SHA1

      466335448132db81de3b0239bacea4326b86e99a

      SHA256

      a74e027529b72b77b9444d9ae719d3b80f0391fca669096d5dfbce1bc52eea1a

      SHA512

      848fea7d72206ce2effaea6155930b31b56e6036b69d53bc448f03543f559fc69bde6acb5047ac40df4d95ccb25b4281041f23356f605f3f9df301244088b5bc

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\f1d940d0-b5b2-0083-8403-807a8db430d5.xml.1bc932
      Filesize

      2KB

      MD5

      f09f433d54c9232dc57cc2383236569a

      SHA1

      91567527d6f4a1a9240e2674de4b5dabe5b1ee08

      SHA256

      afd9dc3919aaa98d277dbb2c5cf39f5db34be44631af57d9b093e1819a8d3e0e

      SHA512

      f316b271efd61fa9de7669bb57f0b27a290c4c167ba4586e29593544c1d8924efa8d3b8b4939f5f4bc0aec1c434346ba02637a7b864a70948dc4f2d1e12a27c7

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\fc93b452-8a84-dede-3b7a-0fc9413c4592.xml.1bc932
      Filesize

      2KB

      MD5

      bcb70d53634a0086c3b6cbc04f52bb5d

      SHA1

      660501cce87e29963f48dd3dff09d6afed8375ef

      SHA256

      6615b1db40532993e1ceb5948a4ae193bc8e17924d94ac72ad7e1a71c37e1c90

      SHA512

      9294fa63f19f822f3a879a16aa37e06d90d441e9c75d4a4ef57586fdd79f07b39d21bcd84d9dce57263304a2178152508a960887b872f14781a1582052e22654

      Download Submit

    • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.1bc932
      Filesize

      910B

      MD5

      49565d59cf2c8e7c3524f71aa82b161f

      SHA1

      81adbee863f5f9066602d1b1157ecf5111f830dc

      SHA256

      ef2fffaf0f2977c61fedf4d9c7630d953a571f40edb90d5947cfd52c547d09a7

      SHA512

      7182c1bbc74d9808a70982e568c2b61ccd79ceda71d4ab83a9ac46afbf921f35839059c9aa99df7421696ce5c54f6ee4d9dae09b6d29b6d248a96dc081c35f03

      Download Submit

    • C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\state.rsm.1bc932
      Filesize

      1KB

      MD5

      375f9bf48e2fd4db37bc19440db1f2c5

      SHA1

      08a132d826e601dc399107fe4d3712a7375b8b1e

      SHA256

      6e8883fa143bc2de4f0e66002a6459f641002eccc9169b2d33ee953be37efcf6

      SHA512

      1c82741449bcd04ef326c04a5c1166b355b39ce6235f1bbf34bf073677679549c6af0ca98b41a9b918662c44fdb31aec6ae293b8dbec4c4d3bed3881e0b2bf60

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\30A0.tmp.bat
      Filesize

      109B

      MD5

      65c545dabf490e29a93f9e090f11945e

      SHA1

      7a032b200ce0105eea579105c94448a884e6b293

      SHA256

      d675f4534633c0c1c87910a1f61dd653efb27f14a32a97786be03a702c5494f1

      SHA512

      448903a30e9b60e9120adb6759fdc5bcd4ae294b240d010cd7707aeed0ab10db3477bd7f8b89e4c863223781d5e65db8fb5ad00854198a4faabba852b1560a19

      Download Submit