Overview

overview

10

Static

static

9

aee5f89896...17.exe

windows7-x64

10

aee5f89896...17.exe

windows10-2004-x64

Analysis

  • max time kernel
    4s
  • max time network
    4s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 22:57

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe

  • Size

    282KB

  • MD5

    38f3d7cdc3ec83dfd3b8309b569481bc

  • SHA1

    4398b03f857a45af838f0d2b8094a367708c0968

  • SHA256

    aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17

  • SHA512

    14d6d4c611a910c5e9b83c58f42acdee9dd69356066dabdef7386d5c8dc67ab9e153f2e906097f44324babfbf8c5ea0b7156c0befeecb39eaf639fefa24c0858

  • SSDEEP

    3072:uvgIGSgSWSQ2qobyyBPgKlBkqdX2z6oXo:SgIGSgpSQ2J7PLlBkYXxoY

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CA3D36-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted by Netwalker. All encrypted files for this computer has extension: .ca3d36 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_ca3d36: VicDL0xHv5eIKjwAgKOjRGx/mCoF/KoDA8QbjoQvhNnLcD7a7/ 8RnjTrh0/VS84eiMq5UzKlTbNVg3MeQUh/vm/IhdUznLZb41Zj Aif/rxN0s5agA/E2vRo0u6g5wIPjiDgafqR6Q6I8j1d6Px9Qkd 1zMfJl92RKa1WVaGxpnYOsEb1A7/cWipsR1XiutzXmgKWahlnj NJhh9CetMx0kNvaBOylxNdWI+JXOE8AAg3iEsRMQpiPugto2b5 N6/8sTKiVBfpAxDHNgQSdBzIRa7AvG294sx5mY2Q==}
URLs

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Detected Netwalker Ransomware 3 IoCs

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (493) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe
    "C:\Users\Admin\AppData\Local\Temp\aee5f898961105ff97a05c7f847b15ae2e29c9270a20f46caf24e525216d6a17.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2236
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CA3D36-Readme.txt
    Filesize

    1KB

    MD5

    0fa3b208824da5607858c1fc8ee28fbf

    SHA1

    2fbe40bdb0e339f7831ffb3160c8831589ec5fc6

    SHA256

    f3f7a8ac039ca497be81702b1180c7e147cc2544529de42432c7325df308180d

    SHA512

    09f81092f3a31a20e8392cbb9667c58ac25eb363224a1cc7f80668b748a275613b9135bcb0942f6325930f351957b19512082821c10c92f57c9958fe39f9b891

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
    Filesize

    3.3MB

    MD5

    8359496564107214cce359d501b11fc2

    SHA1

    3f7254b9d61126d664ab3ab8153b5cf631814f6a

    SHA256

    adc4311564c2604b8c09373b03c079a67737897838be1af7b2edf38d58845311

    SHA512

    9aa42ddf234017884ffbd65344f84664fa04a72c64c6666725b5e3eb8c91c7ab350bb732ec403f15da86a555e1f4f8621f441b37b192c49d77e0dd79c78a69ba

    Download Submit

  • memory/3336-0-0x00000000021B0000-0x00000000021D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3336-1-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3336-3432-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3336-3958-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download