Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-04-2024 00:55
Behavioral task
behavioral1
Sample
2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe
-
Size
94KB
-
MD5
efeb1be8bd41130cd7c545010d140afa
-
SHA1
a056845be51604a73cac17479f04d9077c202e05
-
SHA256
4fb90e7f4baa933ad69be3abb36dbb586dc86e6162d7ac70a504a0c8942ea798
-
SHA512
291c73ba102104a365c6769b8b29451a3594b06fbe65fe0a8f45d613981bb4ded5e23331ec65148c0a67a90de8fd0cc2c8379909bd2916f1f72cb2ddc68f934a
-
SSDEEP
1536:NQVlCPQRhNs3POdM0ty2XGe0W7Pbk3sPkO5M/Y8fGMNvgaNg:NQ3CPAC/YM0tyAGe0WDPx9MNvg8g
Malware Config
Signatures
-
Detected Netwalker Ransomware 44 IoCs
Detected unpacked Netwalker executable.
resource yara_rule behavioral1/memory/908-0-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/1284-2-0x00000000000C0000-0x00000000000DB000-memory.dmp netwalker_ransomware behavioral1/memory/1284-3-0x00000000000C0000-0x00000000000DB000-memory.dmp netwalker_ransomware behavioral1/memory/908-7-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-9-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-8-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-12-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-14-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-13-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-17-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-16-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-21-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-28-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-32-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-33-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-31-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-30-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-29-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-27-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-26-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-25-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-24-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-23-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-20-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-11-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-44-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-43-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-47-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-50-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-51-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-49-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-45-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-52-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-53-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-54-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-56-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-75-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-58-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-57-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-80-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-81-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-79-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-78-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware behavioral1/memory/908-59-0x00000000000D0000-0x00000000000EB000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 908 explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b06f5748 = "C:\\Program Files (x86)\\b06f5748\\b06f5748.exe" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3056 set thread context of 908 3056 2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe 28 PID 908 set thread context of 1284 908 explorer.exe 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\b06f5748\b06f5748.exe explorer.exe File opened for modification C:\Program Files (x86)\b06f5748\b06f5748.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2064 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 908 explorer.exe 908 explorer.exe 908 explorer.exe 908 explorer.exe 908 explorer.exe 908 explorer.exe 908 explorer.exe 908 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe 1284 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3056 2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe 908 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1284 explorer.exe Token: SeBackupPrivilege 2568 vssvc.exe Token: SeRestorePrivilege 2568 vssvc.exe Token: SeAuditPrivilege 2568 vssvc.exe Token: SeDebugPrivilege 908 explorer.exe Token: SeImpersonatePrivilege 908 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 908 3056 2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe 28 PID 3056 wrote to memory of 908 3056 2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe 28 PID 3056 wrote to memory of 908 3056 2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe 28 PID 3056 wrote to memory of 908 3056 2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe 28 PID 908 wrote to memory of 1284 908 explorer.exe 29 PID 908 wrote to memory of 1284 908 explorer.exe 29 PID 908 wrote to memory of 1284 908 explorer.exe 29 PID 908 wrote to memory of 1284 908 explorer.exe 29 PID 1284 wrote to memory of 2064 1284 explorer.exe 30 PID 1284 wrote to memory of 2064 1284 explorer.exe 30 PID 1284 wrote to memory of 2064 1284 explorer.exe 30 PID 1284 wrote to memory of 2064 1284 explorer.exe 30 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-23_efeb1be8bd41130cd7c545010d140afa_babuk_mailto.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Deletes itself
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2064
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568