Overview

overview

10

Static

static

10

winbio.exe

windows7-x64

10

winbio.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winbio.exe

  • Size

    69KB

  • MD5

    2edbacd070d1949bb5d97d3a6e4e23f6

  • SHA1

    761168968a1d951848a36ad428ee4d05153f1e01

  • SHA256

    8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc

  • SHA512

    a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\1E9AE0-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .1e9ae0 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_1e9ae0: mstNmMAGpEAj3qywSAFtp9etjdig4LKerTH1uceyXmeekvSzBZ BZoUlzW02sFnbrgBGVf/IVKAHlq2frLCeQFJRbXrgjeNsnq/a6 0uzyuJc5jYF/e8966bY75DregCxQCzrE6eboAnR/osjuwM8R+s agEW9pl4TG+inswNPcJkWiVEyjgP4QtQD8lYRhd01gtV+rgk8e CXwBGfSIFmQzWDyC9fbWYNOeJk79cT3JBWYIRzl+AG39O+a4NX liQSY20tUlb6sd7Gl7Zt5GYOFG6chDAv1A1G/z6g==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (6763) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\winbio.exe
    "C:\Users\Admin\AppData\Local\Temp\winbio.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:920
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\1E9AE0-Readme.txt"
      2⤵
        PID:8756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\E781.tmp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 852
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:9528
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
      Filesize

      832KB

      MD5

      8bdd3cc6564acf24ce2037160d42abd8

      SHA1

      426cb4625b51ffb4792a7dafdf604f5cf40ae686

      SHA256

      ac4254f853b495539d803c7bf7b844eb67f67c363483800ee46a9d3f330c48c9

      SHA512

      2b47ab65c56145432f4881228a98042f1e0aa71996d96130eb13fb18ea5b984aad7b01e9716876dd1784c6c66ebd89a462cda7d513de027e015b0345025da8ac

      Download Submit

    • C:\ProgramData\Microsoft\User Account Pictures\1E9AE0-Readme.txt
      Filesize

      1KB

      MD5

      2a34460f89a024f9c32f08c8d62b1b86

      SHA1

      338bb2468797ee5317cf735452320d03ba2013f4

      SHA256

      1b2693a284279b0d153779e9e745d501be472f6fec178682b24e0eca0cd3a10c

      SHA512

      9fdf976986825681e9c0dbc5b95392d31abc48fcdbf206131c337cb7032883ffcb1de4344fd91564788c0f6696d12e059ec2f7b972daae4a405c76144c20b8ee

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\3ebdb897-991b-934f-ee13-2ca21ed81938.xml.1e9ae0
      Filesize

      3KB

      MD5

      2b5b411932b2c03570e590c5743820a1

      SHA1

      bd6c8c8828bcc327cb2b59eebec0fc36d8073919

      SHA256

      aa740b02e5a4bad7a43f298a9c1f26a08ee9a7f5a0c6d52f5ee217efac5c5293

      SHA512

      ca85859210f51542014cc33fc1e1d0cf6d40707b18cb172ad8aad8855429c38208bbb17dd7a44e225e9802f418442a2cc4efe6a14b09335c70bb374b340e653e

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\4c4ecbc0-0ec0-3929-aebb-a931a339fb23.xml.1e9ae0
      Filesize

      3KB

      MD5

      62cb434e73a21aabb13dff2e1893ebaa

      SHA1

      28f396e044ba74211a7e3f315f43b46a05ccce79

      SHA256

      9d65501e315238f7e5e35f062a6d093cf94aeffe48c366f8168882200ad91a49

      SHA512

      248e5757ff954baf22099a15ced0afdf7564b54e686f2f3f7d84e3cb488bc8dea374190014e9ecaa2c38ec3560b8516c903eec18f5e10f941ae73c3b797f2f22

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\56780d7d-d4dc-b9a9-c121-bdd323bdc3b5.xml.1e9ae0
      Filesize

      3KB

      MD5

      f84f06500c05688bb63ad0ffa6126486

      SHA1

      d8cb0a5a4e5d78d95dfd1c67ac53b6912a514725

      SHA256

      7336cacb17fd2ae0060ae1e47f8f86fac32d6efbddb4fd0d219f407f5f3e43f0

      SHA512

      0b0e3e3c2cdb0309ae5c1fb90053a442cfd39aa7e634613dcd5686b88807c76d93e852dde1840191eb7fdffb0a8bf580e2362b688cbc0cff62b60c8afc5bdc94

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\6e90ed81-9187-fa62-ce90-f18d7bed6b12.xml.1e9ae0
      Filesize

      3KB

      MD5

      4688943bc2570fed6e77b262f9ebf90c

      SHA1

      605e390f55895d15d9a3d4532ab70c076a0f3dd2

      SHA256

      f5b47d221ed7386712c25f630e6dc3c946b3defb7827254d41852ab29045d55d

      SHA512

      50fe7122844578298b459c3fe6fd129980204ddb530280a7b22835e41e09e21efc41d5f8f6ab9f864428b6f7fc153280065c319602f0439032a89868e7a3c8db

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\7646fa0f-b52c-71a8-3aed-950dd1668c09.xml.1e9ae0
      Filesize

      3KB

      MD5

      385d04faa592f334610f9690a85525fd

      SHA1

      260408b55641a32afd9dd64f690cca2887aec38c

      SHA256

      5c63aa7ad93651c6189914ef508392847a99eb9eec304724e3a2606556659211

      SHA512

      2d54f42ca87c27ebd8f277b486c8f98346ba4fbf4acba381d88a1ee25f8d2441b6939fb87184a76931a38f12d149214959c44d5399a8d8854707b2445cc42dba

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\9d3ad23c-c6b8-7fb5-e4ab-f5d0a66dcfbc.xml.1e9ae0
      Filesize

      3KB

      MD5

      c6368d10c1a3665295ddf105e3589ff0

      SHA1

      3a530f95b8f95ff53585d579d96cafb6fb926707

      SHA256

      7b1469042a4a808430e0341302141f8c7e2eec7ba7213d4e011a102011f984e5

      SHA512

      75a2232d9c0b55e1ffc24aaca99e85b96b9bfb7aff5f5f4f3f70993e5e44bab4f50a7e43ffaa6afc9064318cb37d9805dddd797561d47ee19d0b97a38dd80049

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\b34b197c-c0ed-bf12-c9bb-44e883c66a9d.xml.1e9ae0
      Filesize

      2KB

      MD5

      285eb64dca662f108a9a539c429fc3e8

      SHA1

      9b93d3a5d704794b8a547e8720a03f64815862b1

      SHA256

      daf04a8833d4d82d16c5dea08b824b1fa2980c98d1054b26c5a7bfb35c2ebe56

      SHA512

      eccdaf465c7aad2ce5df7a8d68db56a56d7aad60f511db5f356de957a1f46223a77d2901367b5a0d7d3110d136cd8f4ce287ce5004757f6fc8577b325e14743d

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e8ac9388-7c9c-19cc-fd4d-cb72bb1544ea.xml.1e9ae0
      Filesize

      2KB

      MD5

      e51634f6ba26b958d51bc9be6518ab2c

      SHA1

      4db3154911c2d3faf7101e9f3e78d784f2299122

      SHA256

      174318fb8bbc941b82adb5e08f1c045c3941467f5fa27984a594e1e4c96d1504

      SHA512

      c1822d8fac0445eb84ac3f9296f2f4ed7c914e43fd866bce36b36db79b0b372ce4239692a34add962af7cc873eeda490e28a4dc60d52e8947f764fcdc4ce871a

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\ecbc2601-0a67-4963-e594-43c65d6ec9a5.xml.1e9ae0
      Filesize

      3KB

      MD5

      3efba0bd2e58987ce346aa1cacd77566

      SHA1

      7df57340c94b9016893dddb58655e1efd5be6066

      SHA256

      e8fb2b3794b6a1007b154d6788e4273cd218d48d61b79fc51438cc0c862ae484

      SHA512

      3fbfefbf61c827bb6eb5f3ffdbe11af9fb8fd8d1854059382dc51fcb60699329a5cc1a01e82cc3ba318e25a58a0a17f17c32b88fe165ff56d41aca01a49cc716

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\E781.tmp.bat
      Filesize

      82B

      MD5

      5af6aba0f034a352b84981606f21a7b6

      SHA1

      d1400c85a47ddbd3ed5a6e86d879d4029e07b961

      SHA256

      d0b6b2376470ad8cad1b5e7301ac022867234c478d003aa0f5e95831c806ebc0

      SHA512

      bdb063926d43f71ea9adcaeb28af40eb08ba3b27cda4766bf1f8bb4863042960d57a54bff496c03dc6ceb69adb29c356c5cd9eb37dba1447cc86ad0c4bb212c1

      Download Submit