Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2025-01-22...to.exe

windows7-x64

10

2025-01-22...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe

  • Size

    82KB

  • MD5

    12448b9b16e1c3a907f669ff5906046d

  • SHA1

    264a5f682001eae793103023f35b0a865b48d25b

  • SHA256

    d68ec0df2b057387bbd78a51054f7c06bdf029337bf9d66c1d411ba0243b2ae5

  • SHA512

    58870722418a14fbc86062979b8b93fc9aa31848b03217fc7534b6bd9d03383de5ad338cd75376f8bbee378f38d5e473364429cf8bc631a5125e5e65314b7be3

  • SSDEEP

    1536:yoF+QbXFzvL4ZwxY/ic0ty2XGf0s7pBZWNFMSZs1:yiFF7Loxt0tyAGf0sN5S2

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft Help\F3D3-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .f3d3 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Contact us: [email protected] [email protected] Don't forget to include your code in the email: {code_f3d3:cjYm65yk46MOZSPnZSrhXva6LNba60uVjCQkhPjO/Lpd0QzHig ao2Vq3uqExve0jNYk5X0ImQLUZoAYXQxcouAwuIaf0iagojuev +ilSr0OSazFKOEA0qwNRwGdi/uRxlhjolrTDbNFp1XchMCtIVS Wqvj8tBwCrDvxz314SwTK3n6IhABx8c01xEQQWhfUppwqD8n4y EuwZ7sVo67BIHenS6yT/pBW6a1ZpGpmtYxElIsCuoW2tFhClmE /3PWaLIRHiDu6FCSYSbgbFF2XYQjF8dQ==}

Signatures

  • Detected Netwalker Ransomware 58 IoCs

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (207) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      2⤵
      • Deletes itself
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2828
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\F3D3-Readme.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1096
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:316
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft Help\F3D3-Readme.txt
    Filesize

    1KB

    MD5

    a449dec7faa26ff8d5b793a2425261a9

    SHA1

    c4bf801369f7033573485064423fbe95dc2305ba

    SHA256

    7fa992df2f72683db77b8d88cb8dad71779b69f75dfb961f45d6c69d3de2a6a7

    SHA512

    efd90bc3a825048be6f57c008b5e61fa1251bffb06872150c05b8bae6b1178870784de53b6fdc97f6d437d49cf2710f274f6dc78edb8725803066fe241bfe843

    Download Submit

  • memory/2028-0-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-3-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-4-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-2-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-29-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-28-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-27-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-26-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-25-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-24-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-23-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-22-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-21-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-19-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-18-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-17-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-16-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-15-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-14-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-13-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-12-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-11-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-10-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-9-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-8-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-7-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-6-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-5-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-53-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-52-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-51-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-50-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-49-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-48-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-47-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-46-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-45-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-44-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-43-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-41-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-40-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-39-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-38-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-37-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-36-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-33-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-82-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-80-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-79-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-78-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-77-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-76-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-75-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-69-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-1640-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2028-1809-0x00000000000C0000-0x00000000000D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2716-20-0x0000000000080000-0x0000000000099000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2716-30-0x0000000000080000-0x0000000000099000-memory.dmp

    Filesize

    100KB

    Download