Netwalker
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1112 | 修改注册表 |
Netwalker can add the following registry entry: |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.[2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.[1][2] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.[2] |
||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Netwalker can detect and terminate active security software-related processes on infected systems.[1][2] |
| Enterprise | T1486 | 数据加密以实现影响 |
Netwalker can encrypt files on infected machines to extort victims.[1] |
|
| Enterprise | T1489 | 服务停止 |
Netwalker can terminate system processes and services, some of which relate to backup software.[1] |
|
| Enterprise | T1106 | 本机API |
Netwalker can use Windows API functions to inject the ransomware DLL.[1] |
|
| Enterprise | T1570 | 横向工具传输 |
Operators deploying Netwalker have used psexec to copy the Netwalker payload across accessible systems.[2] |
|
| Enterprise | T1027 | .009 | 混淆文件或信息: Embedded Payloads |
Netwalker's DLL has been embedded within the PowerShell script in hex format.[1] |
| .010 | 混淆文件或信息: Command Obfuscation |
Netwalker's PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.[1][2] |
||
| Enterprise | T1082 | 系统信息发现 |
Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.[1] |
|
| Enterprise | T1490 | 系统恢复抑制 |
Netwalker can delete the infected system's Shadow Volumes to prevent recovery.[1][2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[2] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Netwalker can detect and terminate active security software-related processes on infected systems.[1] |
| Enterprise | T1105 | 输入工具传输 |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[2] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.[1] |