Overview

overview

10

Static

static

10

2025-01-22...to.exe

windows7-x64

10

2025-01-22...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe

  • Size

    82KB

  • MD5

    12448b9b16e1c3a907f669ff5906046d

  • SHA1

    264a5f682001eae793103023f35b0a865b48d25b

  • SHA256

    d68ec0df2b057387bbd78a51054f7c06bdf029337bf9d66c1d411ba0243b2ae5

  • SHA512

    58870722418a14fbc86062979b8b93fc9aa31848b03217fc7534b6bd9d03383de5ad338cd75376f8bbee378f38d5e473364429cf8bc631a5125e5e65314b7be3

  • SSDEEP

    1536:yoF+QbXFzvL4ZwxY/ic0ty2XGf0s7pBZWNFMSZs1:yiFF7Loxt0tyAGf0sN5S2

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\24FE-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .24fe -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Contact us: [email protected] [email protected] Don't forget to include your code in the email: {code_24fe:vcp7YUD0An7cYgEcqietscSbsz4+8tDJnbIgE5RZ/Vtq/3Yrgf JRLw40pjJgWwdutQgbtiqzsT9TDTjlosRgL8NXYMn2HHw5juev +iNgZipJCEZ2dWTJD+ewu9vWW70VyJLugpoICp5//aoZi4TA5O Ma5CjGvjZ7GHEdAEmcTv9YuQif1fslgaFLtpcn9bleg4kSNqag cwhkPLVVNxnx0+4ZHYOmASZ+HhSkVbL4pju/Zy5qthjb5C5Luj dBlg6dZ1gtekoYGmzgcya2PobKuAZWYg==}

Signatures

  • Detected Netwalker Ransomware 64 IoCs

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (183) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      2⤵
      • Deletes itself
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3092
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\24FE-Readme.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3224
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3968
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Favorites\24FE-Readme.txt
    Filesize

    1KB

    MD5

    11da42e76b4facd63cd2c1247533a0a6

    SHA1

    3b75b7bfa10845b8fea36ad17312f33de5251eb4

    SHA256

    c7835f383b1d647d1fb2e028bc10277f4af16fcdd336413a6d8ff96f89348049

    SHA512

    1156047f7707b65bd484ac56a0ec7fd43e34ccfd0ab5164be190baa30afe4306ad56209ac3e7526adb0e5af4786cf91ace13e8ee4dce9a52a9292e77d4708564

    Download Submit

  • memory/1220-476-0x0000000000130000-0x0000000000149000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1220-1837-0x0000000000130000-0x0000000000149000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-0-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-2-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-3-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-4-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-26-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-36-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-65-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-64-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-63-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-62-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-61-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-60-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-59-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-58-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-57-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-56-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-55-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-54-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-53-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-52-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-51-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-50-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-49-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-48-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-47-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-46-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-45-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-44-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-43-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-42-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-41-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-40-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-39-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-35-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-34-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-32-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-31-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-30-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-38-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-28-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-25-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-24-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-23-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-22-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-21-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-20-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-19-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-18-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-17-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-16-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-15-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-14-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-13-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-12-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-11-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-10-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-9-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-8-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-7-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-6-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-27-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-5-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-1836-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5032-1846-0x0000000001280000-0x0000000001299000-memory.dmp

    Filesize

    100KB

    Download