Overview

overview

10

Static

static

10

(2020) Netwalker.exe

windows7-x64

10

(2020) Netwalker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    (2020) Netwalker.exe

  • Size

    69KB

  • MD5

    80372de850597bd9e7e021a94f13f0a1

  • SHA1

    037db820c8dee94ae25a439b758a2b89f527cbb4

  • SHA256

    2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8

  • SHA512

    f43db3569ac60d6ed55b9a3a24dcb459e14b0bd944e9405a8cb2bfb686eaeff31c82ffcd6c477d6a6affe9014ae8ed7d8af174e8ceebbcf00b64ad293901a77a

  • SSDEEP

    1536:juCWRxL7hbUiQfovecnXUU+hhOZuIWiFp+ZfaBZebC33O+Pd71vb:KCWf7VJQfmeMXvkhOZu1iFBBZebC3F7t

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\MF\9DE7C9-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .9de7c9 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_9de7c9: Uj7dxA9+lGmbrUpFv3tRIg92A4lf8uewyrWo5DGTb23jkm5Yf9 53cQi5D/+rRNBCAKbWPhAtvBpi65mbwPsWyQNHmp/oKfBvAg4e DSsr9laHfVKLGO72jbu1sZ8FZZld5/sovIQboHbRa94KCI79EQ tvWhI1pC4wlSw/bLwE1BSeFa/tpAJKBj9TBPLF8uu+du4tS864 Y4PLqtY3bS9Wgrqr2B3kST+L44M4zfQiyuiL2jSZpvgqsMZqzR YOcC+9XvwxZ2vFLCR2EcezPel8k7UhQWgxRbDfdA==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (7434) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\(2020) Netwalker.exe
    "C:\Users\Admin\AppData\Local\Temp\(2020) Netwalker.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2168
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\9DE7C9-Readme.txt"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2512
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\39C6.tmp.bat"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:7464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 2372
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2104
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:7872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.9de7c9
    Filesize

    229KB

    MD5

    e46b5f6599b714f83a5443181be656fa

    SHA1

    e5830ed8b242610cb555e17995299999513d9823

    SHA256

    e9d7577da4b2a5a7709f3d51b3fd50fa07283476bab91cd7946aae140606d507

    SHA512

    1f726f5596f4d5a0cb2c197bcf6be509a303d547238b9400815c2f5b17992b9debe8d1c31c3f01887ae9409269e38f2e96aff6c235b04627c3f38b811582812c

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.9de7c9
    Filesize

    14KB

    MD5

    3b8241d418f3ec3395531c894fd4dc94

    SHA1

    8724e8074400fcbc2e994fbc9572c88bbc29743d

    SHA256

    c3907b826e2eb2232b0296804c1685c3055b157b27967feae28f4515cbfc1e98

    SHA512

    7f928f313aac79da7e57441ab0c76dd654ef6aa60e0d9ff119a797d7c0b8ad2baff5aa8c3b2df11525551dfe5742a2db5422f7dd0d43a57ec1eb037fa23ca4e8

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck.9de7c9
    Filesize

    284B

    MD5

    a297edea0bbbe5f18c66302cebbe57f4

    SHA1

    6c1b7dc261ae77666324d91e2b426c07a99c47ef

    SHA256

    ad9269e5f29ed015fe904245ddc91c77e6b41d1e764bd0ed6e9ab3829b9f0369

    SHA512

    8e0a8037c8e6280f50cf4b9f84cf0a2bc8f25c514d5367edd34c5292c89b626a0d12b0fc10af6602109f45a7437d94f473299ecedaf533e0432c9cb6782d60de

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.9de7c9
    Filesize

    284B

    MD5

    7c46f5327a35681773f1266866321531

    SHA1

    06952238269ac4bfb6016ab1413f25cfe2724914

    SHA256

    f23ece4eba428cbabda2e36d926fb7072b08fb072b1a3327ebc901a67a2a44ff

    SHA512

    a1ffeb180893822101581c048647788a2cffc58294f9bd72b0239540286ffd3dd6ef6b9ec2e2040bd0baa33fecf2d4a5c81191d92a5819475dced6bb5ca76a47

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D.9de7c9
    Filesize

    12KB

    MD5

    cf2f8fc2c6b1929c95b9becbce050677

    SHA1

    03c0682514086196afb813c39f6fc1ca2a35535b

    SHA256

    41b03dcb95478f240480a80641e1f83878581e343549868129f4792fc127d3ae

    SHA512

    d980b4081ac6af88fd1637fe19afa2de1c1890bf88652c48cd18533744725f4e59d8ef1310a8e13c1bf413942e9dc994a2eef9408eba1ed5c4272d5661c0a6e7

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W.9de7c9
    Filesize

    229KB

    MD5

    55e29b0a35d0bbd9cc9277c6d2ecedc7

    SHA1

    d322774592539e7826cffc43ca20679e3d963ea7

    SHA256

    3a1967f561be2f98bab0234ba78a0c6c066b791e350d1a63412c9a43e304acfc

    SHA512

    0267d2c83f6d2b1d94b0a2236d59f71b75b3aee39876c092e2acfa0ac26fc55a08ff0eed812cc88516521f14e676de31dcf9822ea9896f2c533be6279c7ea4d5

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W.9de7c9
    Filesize

    422KB

    MD5

    a1d9f9a680028a5cde16925c6643fc21

    SHA1

    78e74773cc2c15893c5289b61893e9359189592e

    SHA256

    74e25d789a6fc5f51072084ccce5b4786152d6b14df15f1d11a04c2f6cc98925

    SHA512

    f63fe9e0e3bb37356144f27907aae68e7b104795ab2e537fb47d55e0760aa60eb8540b4ff5e741984044a978c60790b2c14d4bc802106913d9cb21675d52db53

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D.9de7c9
    Filesize

    14KB

    MD5

    5d7c3a6b915d72ca5ff3fedfcc5124a2

    SHA1

    dfed442f4092048f2beae9b647b9e7e7e88e7aa7

    SHA256

    d414d7e11869990a07091ed901ce8440cd7e603ab551a823573cb42489bafa55

    SHA512

    619f0082cb527aed227531616356679931f7bb74ae1afd02ef639cf1d7240872dca9d603743807511a5b9f7ac10263ef260b22eb1ac5cf8a3050d7ff0f94d1b7

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q.9de7c9
    Filesize

    1.1MB

    MD5

    dbad5be0744edf36ffe8a0dd72b2a674

    SHA1

    5861f71de81124d7c6920e28701dc88d37fa6089

    SHA256

    2e387ac0d2d87cb5633bb1abddd2b007b05425d9572607d8a7613531df65a795

    SHA512

    0d983c3d3ade70aaeb4859217fd66a7cf244e984ddbb0a6341f898d3616bc52a006eb35d320ae15d43826a49c8c6b9f3fdb0ef7b49e40d85211c54de0c4ae09f

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D.9de7c9
    Filesize

    12KB

    MD5

    be4f7f042b38ac4a0ad2a06a9b9cea26

    SHA1

    ceacf976316410c355e78f0c68c4eb30dedf1ecf

    SHA256

    dc2d28d256df52a69e761cbef25c86a2e8234f3cedd8d1f6ae1ced6b23d6ed5f

    SHA512

    f85b5d5e47a948d08d97f2f0fb593785c1524aba6069035508eb2b6d0ebf613903de53a69b13f5764679fb25b4b6980cfae54ad6e56e22b55f433de4e311e1ea

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W.9de7c9
    Filesize

    422KB

    MD5

    8e875209ce8386e2ddd189962e78f6ba

    SHA1

    7658fe9f21ccd0cd2ca096a52e3d2734d89b84ef

    SHA256

    f0e2ceb5347efc5cc41aa5ad63c0bc2386d80db0dc9241d8576687f48b7db3a8

    SHA512

    f2d837558e45aefcd49a00d7b0798ce9941232271afcfd7f1e8ee8dfea77e08b1f7974895bf20fc942022b45267972ecf807d9703144c8d6fb6dc9a4fa657e40

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H.9de7c9
    Filesize

    531KB

    MD5

    4dd9a2fb68be6f30943587d6d4f35611

    SHA1

    eb628fd94987a3855f78f9fb52f364ae9b66e492

    SHA256

    24faebb13782b1871526997c139d7ae45ee7b6fb2ab8096f84c5758b90f499ea

    SHA512

    f923228b99ae549a5128af7010f4e17ced9ad007ae1e4cf53c94cf5e62457a517a74dc7b909f3830c5cfd2292fe63e6650921d491931f2277517a2065461fc80

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D.9de7c9
    Filesize

    14KB

    MD5

    0341fcda666a8e9c378290afb78f1f58

    SHA1

    a5ae064ca2e3243e22db0ae072c9eb1dd03edf54

    SHA256

    c96c0ad06a0ff55a579e78b4aa0688272bdb3ca3e36b3bb04e0686d926317163

    SHA512

    03a0513f57ce0fdc4654400b90f9aaa7ba9eb2bae8f0fe735ad7e050793f890ee89de5e96e17757b855e49b603530e171996f235ace7dc03e551429dc1c67a7a

    Download Submit

  • C:\ProgramData\Microsoft\MF\9DE7C9-Readme.txt
    Filesize

    1KB

    MD5

    59f000c4b2bf154ce9f8b02669fafe65

    SHA1

    db4ff01964def6a5347106d6a77f0f80acce1fc1

    SHA256

    1f97211bbb9737049063d6d979a9648c9b5cc002234e489d564a75b6ef5c9ff9

    SHA512

    de63872a8a079f3509b55c50fc6fc8da6323652bec68e4118118ddc0f466ca55d562e88817f161e61d5dfc2fd4128a5861e6cff04939b0fe7eea07e25f24961c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\39C6.tmp.bat
    Filesize

    93B

    MD5

    acf86246b8b7056f20fb7dc24a2569df

    SHA1

    9a9778569a283933c42a7d2a38f81c7b3385e57d

    SHA256

    c5035bcf92205f5c6ed2821d7da48931c1baa4a6aa33f4800946beeae44c0863

    SHA512

    4a99c07b276339f76b7368e6193d5135be22dbc81545afd60fe1bb772d190780288bc9a9211a2d3d9f4709a1e0f1bb87261d6f32940e09d0e7053312d61b7c4c

    Download Submit