Overview

overview

10

Static

static

10

2024-02-25...to.exe

windows7-x64

10

2024-02-25...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-02-2024 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-25_2edbacd070d1949bb5d97d3a6e4e23f6_mailto.exe

  • Size

    69KB

  • MD5

    2edbacd070d1949bb5d97d3a6e4e23f6

  • SHA1

    761168968a1d951848a36ad428ee4d05153f1e01

  • SHA256

    8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc

  • SHA512

    a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\17C8A9-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .17c8a9 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_17c8a9: bn0gXxGLgdZVy4UMADBN8pnluHHG4anNIoPxDnYZJY1vYvQuBm EMkVUBPPvim7s6UFHdXYh/tRmxsFIrFimJCMPXLUJISidxq/a6 0pismP3Xob/jrIgr943usOr9GMJU8HszUJMn+yF2NuYh2Z3M+9 9FbHty+89fr++JcGstQ518ErIJsf0IHJF/DTC2LKnY4tEdE5i4 +oygjYogfsJ0s+jt1+4bWWxlD/GItz0+QihFm5PflthXKilhJs sT4UZZn+uN/AdKAyTi1yCxDA5JdCcXd92fQ66+aA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (6628) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-25_2edbacd070d1949bb5d97d3a6e4e23f6_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-25_2edbacd070d1949bb5d97d3a6e4e23f6_mailto.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:3264
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\17C8A9-Readme.txt"
      2⤵
        PID:11440
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2B4C.tmp.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:8980
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 4716
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:13272
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
      Filesize

      2.4MB

      MD5

      7ab0b60e1b883cd3499b7e96182d9f6b

      SHA1

      c08d365ae4374b50fbb5fd56a00b474d87808a71

      SHA256

      d91bf75028ee08a6d85547f6e86f884748f114e808685b06d1ab867271dacc78

      SHA512

      6fe3cf4258762e6141bed7de3746fe4f0daafc002953f00b308d7e1c866d028a321ec41f84f906577966b8582174697b6bca962a59ccfc41a87d9e0b2c666268

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.17c8a9
      Filesize

      16KB

      MD5

      fa1a2717f77f7a7af8afb401dbcc2b65

      SHA1

      23c99cb4408f4a1596aa36cdca60ca17bb74fe1a

      SHA256

      4d1e7912342f1b666ea2ce73fb557240c04267d55f98a291c03d87efee93a926

      SHA512

      d0b65acaa3551e15c86253ba244aa670e95f1df48afcc3a3c4a31231152810e6f8109376adff4c5860fe55bc039a82521b218bb0bfec8f0a2dddbfaf73339d7a

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.17c8a9
      Filesize

      2KB

      MD5

      3b65778daeaad0965f7d928a57c25dab

      SHA1

      b3e38c76141636144664be4db84e0b71a9c213cd

      SHA256

      8738c49a2d0f2a3f7c2c222f91aa5557428acf80c91bc33c2b1edf84b0f0202b

      SHA512

      361187f88161113f5395b19b64e72c5bbd8b64e9db18b1397e6317b66d50193e11a8403b831828a8ab2d94b8d3b756a3b36b4d57767ff91e452c3009b0316439

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.17c8a9
      Filesize

      24KB

      MD5

      99e65a14498e4dac084d30fa00fd337c

      SHA1

      ea74e6321205dac24467082af6aef19e43b4da78

      SHA256

      331edf2e61cf3b186ef67e12442032e558b554c90843e579454c235b164d2548

      SHA512

      908edc0bcbcee136a37119c3d521bab5100ef569940159952ab7a94db01eedcf1aa264b010aa738444512b02d3fafbc0e1689448a92e03a8a1fd676694b0395c

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.17c8a9
      Filesize

      24KB

      MD5

      ec908ddf4e22f28ebea37905b5a9d075

      SHA1

      9eae199f886d45eb419b2373d69f25701127c700

      SHA256

      29ac53995cd79882608aabf2433fcc85a40b362b9c507eb8ba8245d7afaeea60

      SHA512

      60b63007e792ead4968f2bd1b7d274823446838c386f3d2dbee846a0c57622585dd13351afad5c8eeaf6501b792297fa92378b4e8021dfe7b440a08d9abbf599

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.17c8a9
      Filesize

      93KB

      MD5

      097d3524d663c6bbba3be9910dd86c8f

      SHA1

      2630d50e884e8d84dde1af7fdd3cfeaa208a4dca

      SHA256

      f98e282d76e70a5da5330626e59e7ea1ce9d610018b44d51cc5591d2441f86f9

      SHA512

      c8a93d1cb9a683a2f119e7ec9bb6cb97017e05cbc8d76cde247c17d54ede09d012ac9fe6e844dc3635d28d4db659f77e62a5d78e1fc8164b2a8132191209ee75

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32ww.msi.16.x-none.xml.17c8a9
      Filesize

      331KB

      MD5

      9b391e6d99f0fb985aa27442fcb31ebd

      SHA1

      b2fc3262b80750527df5043934d9389387faedc5

      SHA256

      485cc2a2f2a444d2d25822dda18f23c0e7bbb05909f9c5ec98f0fe43518ef05b

      SHA512

      1e16b679ce1139c6581125a33af3b65c5cd9f37d66099c6e2dd4d7253a52eaa5430c2b14f5392dea3b95e19f092b23714e9b5076343d6c1d7e8af3e27b58982c

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.osmuxmui.msi.16.en-us.xml.17c8a9
      Filesize

      11KB

      MD5

      299a6302107179db63a4c531712e33d4

      SHA1

      9d803aeac4a64ac864c6b99f225f1352a834ad38

      SHA256

      d532438d4144567b2f0320ac2f47e6e9d7a8c3c42b3c4123f51f6d4c548693c1

      SHA512

      aaefe8750a9915162b185427600fe8b3cea21c7462ff9a7624c99db133960e2b98717ce8b83c843fd5b7094f37f2d3afb4a7ccf1334bafb8ab7617be7892ac19

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.17c8a9
      Filesize

      719KB

      MD5

      732d4c711136ed570a3d123b78ba2dbe

      SHA1

      b07210d9c38173e5e35f964f0629501b4f85edaf

      SHA256

      5f733fe82788e625b438d6df78109cc2f43aa9090e084429a8c690c5f4b8615c

      SHA512

      fc03be091b134ea13cd71c47f4f955593a7ba11876170be9d699be5aedfe15fad37fb709e078e830fa9d1b431441920441250de845a9b1f5429c6aef30379ec4

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.17c8a9
      Filesize

      77KB

      MD5

      9dde5be29b151d3b938430d3f59e51db

      SHA1

      55148e25358f0905e8a424375825dcf860557dc6

      SHA256

      e384ce9b15d2cfccb7cb52c0e4ea11f3f1ae784e6ba407fd0de25d053f7ef54b

      SHA512

      5e7c19be53581be3fd625ccba5d05d98ea9e1f4b71ca1def98f9e48202676e59864b6546ed5ca3192cf178d2b0bedec38ed20222d1a7599e3658084b34ba13f3

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml.17c8a9
      Filesize

      4KB

      MD5

      c129f8109e3892fc7b5bbae7f23b15c2

      SHA1

      0030df546e6192ce5ea95bb965170be660ed9bf5

      SHA256

      db540b70ea3e3c02a5d939ae08a2c135528a5b5d3a7f4afaed293045b686ad95

      SHA512

      03f3fa9a20c3c3214c703b3ee2af2dc9abfbd9325b18a964e45bbb5d94a4643f8697ede109cf277e9e159fe4750fe1987b71985995301b038155a327339a8a00

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.17c8a9
      Filesize

      3KB

      MD5

      dd70a4a69b6ba55d85877f03cc25386d

      SHA1

      e5040641f1d70a145012de02406fb46910f80e1f

      SHA256

      292349e38b30ec158f6ab5d95a4f0f49dcd94821064e61bfc34c028ca6b859f7

      SHA512

      3ccaaea4be79d6f0e8b2a7f14466177f36f5f4eca47c7c674f07406f091c75403df212e953f9573c8b12fa2d6010c68ab22b6291545dfe59442b0c62ba429105

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.17c8a9
      Filesize

      3KB

      MD5

      d46efd9815e48ca985965a0cbda20df9

      SHA1

      f7b5962049e5755edd16ac925e1ff3c5fdecdaef

      SHA256

      9045f9ef17d7872637bdd2e412ca7f217a65a42a431dcb7bc0cc6d6b9ab6eb26

      SHA512

      de8f1a560d7759d3a4617ae1e7ae45ff865e1f4b60c8bdedb8e24291c21e8ca187e808f06d5569e68536d71f352ffcc8c36799d43d03167520f49579be004886

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.17c8a9
      Filesize

      111KB

      MD5

      c31dee89588791a7ac28dd570ad0fed0

      SHA1

      f5d6029eb45e969f7d7b6156e0ab9e0899ad96e8

      SHA256

      1a16fc942f31354e954c96d52f537e879858fe461dd05989e050456e451bd7c5

      SHA512

      3e6161de1b57466e20dafad930da6d22f95af229f2d16e4b7bf8402356d2849a5ae68429f3f040970c37b727bcd2661674b56b0c5e5430763c5938a9d2338462

      Download Submit

    • C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.17c8a9
      Filesize

      1.1MB

      MD5

      8d9764f37fb95d4fc0023e25345ab2cc

      SHA1

      533c5c63af24ef5250dd953c191f1404cfd85407

      SHA256

      9e4e15c26ae63cdfcd3c955c48283a7fe9ba3f7cab273bc1ec879c29f674d5e6

      SHA512

      4b1b4b9208329bd4da93da306fb8eb429a9a486ed716de176f434402061792abddf7ae97a46079d38b03032a3f1cddf93e2ee179af8ec32bc3d38d83a369d65f

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml.17c8a9
      Filesize

      2KB

      MD5

      30cb93f7dc5977e48d3dcffd36f93120

      SHA1

      a46a575483b24d9fe2ed0f6f53b0fb419b203fe1

      SHA256

      84325f19f2c911f539dc365e532f9be2f1001b60fdaf76a41fe1453e81b3bffc

      SHA512

      4f94bd9dea30c40b800e4015c3c779513da5f61a47394dec7a77e1b24404b3eeb31801a32b6082309558c9c44ea3c16bae5359e10a9f831d49ce96752734551c

      Download Submit

    • C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8d56e57b-8663-136d-ff69-a004e217825a.xml.17c8a9
      Filesize

      2KB

      MD5

      39c4c11beb39c634165b33497061e60f

      SHA1

      0dc16bac9d8710c7d46735cd4e4ab9a7e59021dc

      SHA256

      fd9e5365367579330f7e2ee16c218c158e0415e8c783901ad448777137eafb93

      SHA512

      f07c0f23e5d340ee882b33bfdcf25030031a06aefbec6c6a9cb8232d5f1069299fb812b107468c5d56f743cf568e324ce9f99e4e19cc534e40679af2c1d0e36a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2B4C.tmp.bat
      Filesize

      127B

      MD5

      d6d0c6735ebc0c09365fdb169f796651

      SHA1

      cab88012a268e5a8c955ad6e11240baf29e16fe3

      SHA256

      0c4ab5d0a01b233742bf20f24f74b38568e5004097b717cefeaa0666dbc88530

      SHA512

      2e5a5fef8157ece8f773663cb03924b8b83925eb7c6dc3e65d0dfc2812b98fa804c99e7c0c0956cf161593665befb47ac31d14179d1f16152be4ea21d170c944

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\17C8A9-Readme.txt
      Filesize

      1KB

      MD5

      cdc4e02866a95b6df9b39bb9ad76e0e3

      SHA1

      bc61a1ba9d7155120f9510769b8b2a2aab5ac080

      SHA256

      395f49ef3d995673863b12403bcd0dbb2f2d123a124ad527bc40a1f0336bea86

      SHA512

      3262a49275fbbb5856766a9fddd7ec9b87260a4cb559f01ab2ca082fb625aeba0bf43ccb1f767c80f76fc4078defb316b2f5e1eed80042052abff984e58a2198

      Download Submit