Overview

overview

10

Static

static

10

winbio.exe

windows7-x64

10

winbio.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winbio.exe

  • Size

    69KB

  • MD5

    2edbacd070d1949bb5d97d3a6e4e23f6

  • SHA1

    761168968a1d951848a36ad428ee4d05153f1e01

  • SHA256

    8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc

  • SHA512

    a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\10BED9-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .10bed9 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_10bed9: Zs1UfVW0NsW3xQCRoX2H3pNWTO7MfRrWVqkZokbZsAptNXa9OU ySEwaZKNIz5mwVvGwDt3u1RogKBqWp2vfh0FXFeXQHdBNgq/a6 0rsuRS976zTih0u9AxFvH7diuaqNrSzgTfJ82+pzbLfiXTnsMC JLVUyLpjpft86bQu2XGE8q80moHw6/ZaccFTcfyDJ2Cua8e16u qxsuItBhLrIig3VRxXzWYjlUfAl5eL0dqWtc9ffuq6/0VqvYuL W1W/BsCoLUn1R5FrkyXb73YJG9R2342+8VqT+LHQ==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (7433) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\winbio.exe
    "C:\Users\Admin\AppData\Local\Temp\winbio.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2708
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\10BED9-Readme.txt"
      2⤵
        PID:4256
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\8160.tmp.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:5344
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 1040
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:6432
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001.10bed9
      Filesize

      64KB

      MD5

      2cff4c9a5a3d460b0bd15e353110039c

      SHA1

      2d70d6e65f275c3ce1f260327023ac82e9aeadd3

      SHA256

      7e87894a72a0cad9828e8466f79e34f6e1d0dff7c73c3a642ff5057291d59d4b

      SHA512

      1534b33853793cf7533e5bf7e735179d583fccf2c95f144219729bd6009c6aac19c24063f54a0a59653d476a9c66c3685d209070c443b1a6a96dd5e99eafedc4

      Download Submit

    • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.10bed9
      Filesize

      64KB

      MD5

      34c3676e02ba912498a4b3e2c71f9147

      SHA1

      8b236da800e2b697cbd669288464f082ef0848d6

      SHA256

      900f048cab4f4560b10acc7b4deb88cdad6d6ee9cff46c1d7dccabdb494725ca

      SHA512

      c52690bdf0dd4e3b4553dbb0590b66c169d75abb1cf46186298beff98bb67ee54384dd7a5551bd70265745c5a8a082c83464203656dc082764c95dd47a80bb91

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\10BED9-Readme.txt
      Filesize

      1KB

      MD5

      b340c74318310d5abeae967ae91ce3d7

      SHA1

      a03161c2a637d5a15b9fa34c238adc06159484a5

      SHA256

      12d1c2882eca220cb0c055823332b60bacdc5ba81f2bccfa00474779dde475a8

      SHA512

      8b0f8e9daedbc79a281781f426c903d1d00382c37032856ccb0cf5335e6cf9050526e2440a7a4e5f65261dfe6e599e3266c9161de03daf3bfe5a11cc0b0ff70e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8160.tmp.bat
      Filesize

      83B

      MD5

      a8b018c9113ba7a114a7f32e819a3d0a

      SHA1

      616fda605c21e74d9cf0f3a320868fe486925419

      SHA256

      b641e9a1f35b84728b3dd0583228c39913de7b85cc53469170b813b591b7218f

      SHA512

      e5036ec64a1612cbca230199273a639b1aef0b1911128b2c80a081a3f8abddcbbfa977f1f31d778728277201b8a2ac1027042e3ab48ecf1c82c74fb0675daf7d

      Download Submit