Overview

overview

10

Static

static

10

2025-01-22...to.exe

windows7-x64

10

2025-01-22...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2025, 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe

  • Size

    82KB

  • MD5

    12448b9b16e1c3a907f669ff5906046d

  • SHA1

    264a5f682001eae793103023f35b0a865b48d25b

  • SHA256

    d68ec0df2b057387bbd78a51054f7c06bdf029337bf9d66c1d411ba0243b2ae5

  • SHA512

    58870722418a14fbc86062979b8b93fc9aa31848b03217fc7534b6bd9d03383de5ad338cd75376f8bbee378f38d5e473364429cf8bc631a5125e5e65314b7be3

  • SSDEEP

    1536:yoF+QbXFzvL4ZwxY/ic0ty2XGf0s7pBZWNFMSZs1:yiFF7Loxt0tyAGf0sN5S2

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\E883-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .e883 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Contact us: [email protected] [email protected] Don't forget to include your code in the email: {code_e883:GOdZ+m7ltaz7jjv5vPCR5Cr16+GkMWKhwQRW85bwCHPb3M8Eg2 t6nAmVdnpyMRXeNMTxe3SExs6NkV4SUTSKLqhSAHnIpkEvjuev +u1D032ifBe/1uPAM4TbHZNHhbzYovK8sXvocoFw7Vcn1zjHQP 79UlahiFP4UVw0qvYY0baQ7qBNW6miAnT3sPfdfGYnm3lJcvKK oCPmgPMLWQNeDh+TTtmCDpksvlkJ5RjzwNTwTb7uX+RfNeZ3i9 OSNMk5lOSJuhWrbIxTf53w37Ijv+Mrhg==}

Signatures

  • Detected Netwalker Ransomware 64 IoCs

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (160) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      2⤵
      • Deletes itself
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2888
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\E883-Readme.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:6052
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4428
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:7084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Downloads\E883-Readme.txt
    Filesize

    1KB

    MD5

    d38c2725d0e290f29a6dc194080d7a0d

    SHA1

    340a49f4e2e53c2c90542f565a4864adce242ce7

    SHA256

    c8585fc87223fddd2a1a95d359d90b8e93dc53bb2dfae7072fb3938a2489d347

    SHA512

    f05994fa548baab8c1516fc727b6ad6a0d6d9a1e76d200f8c2e4a9cf63bf2d71bd4906215b93f1a1156ab78352a3b9bdeb1160e4d17eec32d73b18664b364284

    Download Submit

  • memory/400-41-0x00000000003B0000-0x00000000003C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/400-1770-0x00000000003B0000-0x00000000003C9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-0-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-2-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-3-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-7-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-6-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-5-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-24-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-28-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-43-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-66-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-65-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-64-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-63-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-62-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-60-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-59-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-58-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-57-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-53-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-52-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-51-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-49-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-48-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-46-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-45-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-42-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-39-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-38-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-37-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-36-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-35-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-34-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-33-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-32-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-61-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-56-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-55-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-54-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-50-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-47-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-44-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-27-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-26-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-25-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-23-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-22-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-21-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-20-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-17-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-14-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-13-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-12-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-19-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-18-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-16-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-15-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-11-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-10-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-9-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-8-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-4-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-1769-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3068-1779-0x00000000001C0000-0x00000000001D9000-memory.dmp

    Filesize

    100KB

    Download