| ID | X0037 |
| Aliases | None |
| Platforms | Windows |
| Year | 2020 |
| Associated ATT&CK Software | Netwalker |
Fileless ransomware written in PowerShell and executed directly in memory.
See ATT&CK: Netwalker - Techniques Used.
| Name | Use |
|---|---|
| Execution::Command and Scripting Interpreter (E1049) | Netwalker is written and executed in Powershell [1] |
| Defense Evasion::Obfuscated Files or Information (E1027) | Netwalker is obfuscated with several layers of encoding, obfuscation, and encryption techniques such as base64, hexademcimal, and XOR [1] |
| Defense Evasion::Process Injection::Dynamic-link Library Injection (E1055.001) | Netwalker uses reflective DLL loading to inject from memory [1] |
| Impact::Data Encrypted for Impact (E1486) | Netwalker encrypts files for ransom [1] |
SHA256 Hashes
- f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be
[1] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html