Overview

overview

10

Static

static

10

2025-01-22...to.exe

windows7-x64

10

2025-01-22...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe

  • Size

    82KB

  • MD5

    12448b9b16e1c3a907f669ff5906046d

  • SHA1

    264a5f682001eae793103023f35b0a865b48d25b

  • SHA256

    d68ec0df2b057387bbd78a51054f7c06bdf029337bf9d66c1d411ba0243b2ae5

  • SHA512

    58870722418a14fbc86062979b8b93fc9aa31848b03217fc7534b6bd9d03383de5ad338cd75376f8bbee378f38d5e473364429cf8bc631a5125e5e65314b7be3

  • SSDEEP

    1536:yoF+QbXFzvL4ZwxY/ic0ty2XGf0s7pBZWNFMSZs1:yiFF7Loxt0tyAGf0sN5S2

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\70E7-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .70e7 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised, rebooting/shutdown will cause you to lose files without the possibility of recovery and even god will not be able to help you, it could be files on the network belonging to other users, sure you want to take that responsibility? -- Our encryption algorithms are very strong and your files are very well protected, you can't hope to recover them without our help. The only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypt program, you may damage them and then they will be impossible to recover. We advise you to contact us as soon as possible, otherwise there is a possibility that your files will never be returned. For us this is just business and to prove to you our seriousness, we will decrypt you some files for free, but we will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Contact us: [email protected] [email protected] Don't forget to include your code in the email: {code_70e7:pHetzS+Wifuv5fAaIuwLfoh+l7Xe5Elr6hGvr06ebMqzslLW49 AM5mMvTgt/c4564Su/dtGmYU/TnPeMrHIsUbI8RvWMfjwYjuev +hDW7W5fccAwzwTQcdNofPx+IXAoqcDIb7fx7DfLI55ipjyiK/ SssmAVGl+GCO7gZFqYJxxpr+ufmNHMBtGrYRx5LwB0qy0xrNp6 q8JsdQ4+1sIkyhVGu6xRAiLxTRk2LavxoZQKr7jVxPEp7D+DHu bGDA6nDwg1S+UgVEzRVfZ3108/HQYnwg==}

Signatures

  • Detected Netwalker Ransomware 59 IoCs

    Detected unpacked Netwalker executable.

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (177) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-22_12448b9b16e1c3a907f669ff5906046d_babuk_mailto.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe"
      2⤵
      • Deletes itself
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2580
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\70E7-Readme.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4040
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1856
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\70E7-Readme.txt
    1⤵
      PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Contacts\70E7-Readme.txt
      Filesize

      1KB

      MD5

      4a169e0774726e9a18a2c325d5902474

      SHA1

      7cf2a04e74860f16e0ab9b9d10258212547c6695

      SHA256

      195a202adc99f65bd6e05ae27936f3a9f1c54994dee8ae95fd277fe907e7ce6e

      SHA512

      1693fbdaf8023d8ca7dffc0eeac36b70ddfb546f6763f8198d13fb7080c88290eca3c417f95f7ed10154a417eaa08c70f935227acbc83d18ad8904390a2b23f0

      Download Submit

    • memory/1892-0-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-2-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-3-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-4-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-5-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-6-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-7-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-8-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-61-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-64-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-62-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-60-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-59-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-58-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-57-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-56-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-55-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-54-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-53-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-52-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-51-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-49-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-48-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-47-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-46-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-45-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-44-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-43-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-42-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-41-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-40-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-39-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-38-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-37-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-35-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-33-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-32-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-31-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-30-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-29-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-28-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-27-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-26-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-25-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-24-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-23-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-22-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-21-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-20-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-19-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-18-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-17-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-16-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-15-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-14-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-13-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1892-1717-0x00000000000C0000-0x00000000000D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3036-9-0x0000000000080000-0x0000000000099000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3036-10-0x0000000000080000-0x0000000000099000-memory.dmp

      Filesize

      100KB

      Download