Overview

overview

10

Static

static

10

8894b6508e...dc.exe

windows7-x64

10

8894b6508e...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc.exe

  • Size

    69KB

  • MD5

    2edbacd070d1949bb5d97d3a6e4e23f6

  • SHA1

    761168968a1d951848a36ad428ee4d05153f1e01

  • SHA256

    8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc

  • SHA512

    a4b282b8c91124a6dc465573842a03b5fcf346af6e561eef66ea405fcb784251044e2f8a2c0a61cbb0e29f7efc02a71d131930b70e2c021978d00c0b3c38f344

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+MEYTb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3+

Score
10/10
netwalkerransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\Links for United States\10BED9-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .10bed9 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_10bed9: MhN1dJYf10ef/wzihwsWzzf2UJRgRHQEkY1NmkUIolLYa67gxt 39p9OVJmWmeZVboca/r1VyYbfw+hKcWhYfGQWGmK3eeDhPq/a6 0t5rl2rpXPoo1Y5H7rLcE/tFxwN1h/9o7/XGa+VhY7oEIGdZNg I9I0HKvBEuUAobU786jCTFcH+A+ha2OUrJBQ+nZMQpkVec7+dB CbKcmE+ZDZZC/BQ+lNp385e3WBjAFB5K9294IGlYy4A3XUFmv2 ACrA2nqc+1v4Zihwa6Jr38BTpzYTVHuse5V9ogTg==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (7435) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc.exe
    "C:\Users\Admin\AppData\Local\Temp\8894b6508e7b3d8759a53d0ac7a6ceb39fd63ba65b1e89be62b2acdce7781fdc.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1708
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\10BED9-Readme.txt"
      2⤵
        PID:7444
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "C:\Users\Admin\AppData\Local\Temp\8288.tmp.bat"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:5408
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /PID 1924
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:7252
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:7948

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Indicator Removal

    2
    T1070

    File Deletion

    2
    T1070.004

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\XLSLICER.DLL.trx_dll.10bed9
      Filesize

      14KB

      MD5

      3f13093df05cbcefdacf47bc6e129f06

      SHA1

      80e2964659da2062c56005686f2985bd8e8d0a4e

      SHA256

      9e6c9aa4ddcf8f717aceadbe746da56b53d0b186c9508b2ef2530c10a3d8d943

      SHA512

      00ee129ac2b10c3364eee20c9cb05cb3db84aef51b7fc25b8af7e9b18339a5ac232209a201766bf01d8036a60d6fcbbe91a387ed57cefd83f3c24a3f580e7159

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\8288.tmp.bat
      Filesize

      141B

      MD5

      4462f451180584535fdb50b376f1555d

      SHA1

      b92e6429a7b1488014397e2a12c9f548923d4913

      SHA256

      4b47fcfd9dc724c498886a7da2f48c7da4ccbca444d2b049ece4d23bf2202791

      SHA512

      5fa7ec63f8bfd62acdc169edb2e8a64b1fa2ab2a26a33e1a1243447abc442000ed1ede31d78f04a6969973620e6b01fad9b9db980d11028307c1bc81ef71cb57

      Download Submit
    • C:\Users\Admin\Favorites\Links for United States\10BED9-Readme.txt
      Filesize

      1KB

      MD5

      e0234b015e8d435b1a1db4f0b1e26042

      SHA1

      4115414314d293afa4265de6404dbd73fd944e12

      SHA256

      0d4dd2a56bbd092174ab05438fc27db7111f040b44b50073fb9a60648b9b2753

      SHA512

      f9fb96b76b4061a013f7fa2df184d5788f3cd94d76b165dc33ec41864545ca22535f75ba4532c72b4ab19a68de9c1ed836a91e9b4772a734af26a70a87f5c4ff

      Download Submit