Overview

overview

10

Static

static

9

aee5f89896...17.exe

windows7-x64

10

aee5f89896...17.exe

windows10-2004-x64

Analysis

  • max time kernel
    81s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe

  • Size

    282KB

  • MD5

    38f3d7cdc3ec83dfd3b8309b569481bc

  • SHA1

    4398b03f857a45af838f0d2b8094a367708c0968

  • SHA256

    aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17

  • SHA512

    14d6d4c611a910c5e9b83c58f42acdee9dd69356066dabdef7386d5c8dc67ab9e153f2e906097f44324babfbf8c5ea0b7156c0befeecb39eaf639fefa24c0858

  • SSDEEP

    3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\MSBuild\BA3AAF-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .ba3aaf -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_ba3aaf: kPowKQX10aXt/INXPlQa2DQsbQ541dhNK7Ng0ivZViSJ5L/JiE cVUFLPYQoS6aQT3buiJXAbR1FkeHYfl9HT2G5jbnvIxExR41Zj AiU7RZyEAfvOsFbFIs+WUNrVSHkf8eQY8Hxyj4DkWlQugZAucv Z63VZOTYp3t0E/d1JScMa6wbdDvUNlb7o/UlQb+7o80SfdRL1x x43ImJbrBn7PQ2At5NLG+RzsLsAyEFq3dGfvk9tUBEtThwbxbk hUFaLvFcBYVuH4uJj2g4TURz/8morbvD9I8kZb1Q==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Detected Netwalker Ransomware 11 IoCs

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (7385) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe
    "C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2260
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\BA3AAF-Readme.txt"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\FC3A.tmp.bat"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 2236
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:6720
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\MSBuild\BA3AAF-Readme.txt
    Filesize

    1KB

    MD5

    6a138ced4f4aa6fb80604fa3fc11b829

    SHA1

    b4ee892831ba33ad9d3c0feae05cf81c9208493c

    SHA256

    4b1c4914f34302c1d7d1df62c462a9e5726ab1b745cd014740e14a59126803fe

    SHA512

    80dc25f60a5825d7fe7ed489a03c939865444898becf61b42c7c7d52f6ed0dcf137128f6f565f03cc89b2785dbc6c67eca23ad83de14af01ef1c6d4cb9073253

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D.ba3aaf
    Filesize

    12KB

    MD5

    6a0423e0d1bc83d6b161a9174f89ed0c

    SHA1

    4a36fc9dfbf01f678e27a3a171e2261ce8f95bb1

    SHA256

    13f9c535275af19149310bff6d0536d1555f772e281950942bef3fa00436ccbe

    SHA512

    cb5f8dcf0043f2f4266cb9e71a11ffa84da8e01b93563d213e028cd4bebfe874c75093d2f223d1cb2125b25818ad62cfeea73095aca2a67c337353c41b2bed9f

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.Lck.ba3aaf
    Filesize

    284B

    MD5

    031c82116a2ae3fe1c35feb8f76f54a5

    SHA1

    2c3fbc2a6b6bdc997ee1ed0d4d08e2767215c589

    SHA256

    209e0d92e906bb3ad246d9eab3bfd613515a7d4f55b933f20ebb1ee79bdf6c2a

    SHA512

    a595464bed78d9fbedcf2aa4e9045caefe68ab3b57a01e7cfaa08082bff5d0d5957cab2e21651d7fa8300617032c6e4846144d882a63dbc0945a8c0bf1c454f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\FC3A.tmp.bat
    Filesize

    141B

    MD5

    8de2f7f6237739c4bbd86bea97e0bc47

    SHA1

    bf3e975104f9cce022a4897ac69ee7c341315dce

    SHA256

    1dbf1c918053c7d1040913ce5b7004cc5931d41b746ade4b87cef1fee2f5cf7a

    SHA512

    cd06856735fbaff24d12fde83eadaea231140b45663d796a047e80ee85f401c7b4f8f4516dca6d21c9ab3961de40763ab02590bcc98280519182049a11e1953a

    Download Submit

  • memory/2236-4988-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-804-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-1377-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-2194-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-3321-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-15-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-7135-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2236-0-0x00000000001B0000-0x00000000001D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2236-1-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2236-6-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2236-8235-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2236-8234-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download