Overview

overview

10

Static

static

10

2025-03-20...to.exe

windows7-x64

10

2025-03-20...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-20_6006725a2daa0b01a4af2fddf58db57b_mailto.exe

  • Size

    69KB

  • MD5

    6006725a2daa0b01a4af2fddf58db57b

  • SHA1

    2e9c40f5bc4f7d8c543cf5a93123fc2794f26a6a

  • SHA256

    448f9d5980c6e327d5cf3e3286381df157876c7f4a748a31038d5bee5479c901

  • SHA512

    0ee22efada8a3be89b6b0c6241c63ba57319c6ef5cbab5df6d2637d1b52a933ad70b88eb7a554f80cfb87f3c1d556c902a5e81415b6ce3b41a67becfd3313e29

  • SSDEEP

    1536:QuCWRxL7hbUiQfovePbUU+hhOZuIWiFp+ZfaBZebC33O+alcBc:rCWf7VJQfmePbvkhOZu1iFBBZebC3KlR

Score
10/10
netwalkerdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\CC1075-Readme.txt

Family

netwalker

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .cc1075 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_cc1075: b4OY+uxrGGBLdG/YPmY+jIyalLvgfjSeX8ISrIaRMevymOXCI3 lqh8HZgYydkGOsgrVuPw4r+85J57VL4deXo9nxWZei5/dN1IeS FqLetkzaBk+d0GmjPJN1//+Q81IkeYSgw8wfdoB3ISUvvan1/T B4Ra5YqUv1KZ6m5hhT919yuuUQMubi0l96VzQo0jqFFBqhFIjM nB06d8tvL1epVe/WVeZ88bo8tgeYoNUzzrj+QEvvNM19h5UNFL 7LINzR4S3P8L6iiIDksHy+FQ858A+Rqd+NXURfsQ==}
URLs

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Netwalker Ransomware

    Ransomware family with multiple versions. Also known as MailTo.

    ransomwarenetwalker
  • Netwalker family
    netwalker
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (7419) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-20_6006725a2daa0b01a4af2fddf58db57b_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-20_6006725a2daa0b01a4af2fddf58db57b_mailto.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2348
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\CC1075-Readme.txt"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6364
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\62D8.tmp.bat"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5708
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1508
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5564
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:7444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\GRINTL32.REST.trx_dll.cc1075
    Filesize

    230KB

    MD5

    0dfd36bb51823ce3f0ab0f19823a29b3

    SHA1

    2407b438789fe3f7489db40ee5c40c1792e0da91

    SHA256

    6d9fcd044e20e54d9c36c5131ceebc7610c1561173d82797277a0baaa2411acf

    SHA512

    2e9613dffb90aca0e2ca466fc8e830a03ce1df6f7ed02aab92e47201f32cc69c39bbb7f2078bb2b95ee676df586e2dcbdd9558decfa2acf58ba651d4d3c3209f

    Download Submit

  • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MAPIR.DLL.trx_dll.cc1075
    Filesize

    287KB

    MD5

    e91569867ef2724b5ee9a5a4acaf3f03

    SHA1

    912f5d1553b6dd47c873249a56f67d3189ad4450

    SHA256

    189dfd71ff725545510e151928a0888103a2b8cda10b7b0c7ef914c147d98657

    SHA512

    6dbbdb399bd5192be47c3304446b0ba4c1e8d1c62884aeec6e0469530335a1c59e7776171797fde212a6a753bb4d0d7db1e5be2c4be49a1f42f1cea6d4d9769b

    Download Submit

  • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll.cc1075
    Filesize

    48KB

    MD5

    2e546f0035b3ab864329b9eebd1cd6db

    SHA1

    34a654dcf8fbf882c4b079cd0838cfbb9f61f0bd

    SHA256

    622a7af436a0a1f7e528c89088a484ae490bf5fce65239440a0b869f633ab8d7

    SHA512

    2d2b0a58e7a3700b0f9a4c106d9e56186be97d56919a528a0314f095f08ddbfc9405f0576c09c531a8293726a7bff9af8937433484a0fa36f4c3143626d55b90

    Download Submit

  • C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\MSOINTL.DLL.trx_dll.cc1075
    Filesize

    92KB

    MD5

    9cd0ff935fe49344937fc8e7f3f5e638

    SHA1

    bef24fc421a211dfce3e774aa8483fd78f5f3adb

    SHA256

    16e0a96c84fc2f3bc0ca262f1a9c8c78565e47d0af0ae10558cff9e05bc87fb4

    SHA512

    020a6aaa342fe839052d84ed76479180fe9ee10d30ad0fb1ac1a865b7965b2e68b5ff7a488c0f62db6374880fbb241976bb3a9ba5cb547e9d3181cfef410ab6a

    Download Submit

  • C:\ProgramData\Microsoft\User Account Pictures\CC1075-Readme.txt
    Filesize

    1KB

    MD5

    6364655be175be570b0e611757011ff8

    SHA1

    95860187079b54f6174c6d28174dd5cc2d5066f3

    SHA256

    4ed704761c98d26dacf716e00743be04dca347784d81ed4343336283f49a2de0

    SHA512

    65abf9d0c13bde361a4074bcc675789e45d38a1c06a12182e914921ac0fa4cddd4cf2d7a868bdceaa766bb1fdffea7464adf39474bfe40d3647351b3bdaf2aa8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\62D8.tmp.bat
    Filesize

    127B

    MD5

    241e53c801f64f610fd3327036fd9d24

    SHA1

    b40b0d8bcb6430af74ff6db86bfb43e450b1d498

    SHA256

    fce0fa5e5b979aea462de96cdac203e8473f1a8d43e54c3afd4a09a12f08355b

    SHA512

    e6f82ae3b687aa23c5b7f06787c7968af99bda86a22149b3278066abb98f20a3ea3d1942473d840dce29508410864b967e4670132570f730662276999a07d842

    Download Submit