makop | ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237

Analysis

max time kernel
138s
max time network
70s
platform
windows7_x64
resource
win7v200410
submitted
28-04-2020 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
Size

34KB
MD5

eaf04bb5f9fff5b07b81bede9a3ea549
SHA1

62d1c4da546502605c23d01d050bb63cf4c18022
SHA256

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237
SHA512

140407b691d73daab459003b7402af252c648756ea2f1cbc785fd9ec64c2432b0d0588f97c2beef629914998d7f78698a03aa0beab914bd0f7baba15fb5571d6

Score

10^/10

makop persistence ransomware

Malware Config

Extracted

Path

C:\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "shootlock" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertRegister.tiff	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe\""	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\73LCGY58\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FT5Z4PS4\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3765897441-2376744223-3151462503-1000\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23JH2T2F\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RXSZRW3N\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0DHL2DSS\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\RES98.POC	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.[5FA4DA0B].[[email protected]].shootlock	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105502.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\CompleteUninstall.dotx	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12.dll.mui	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OLKIRMV.XML	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.security	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01164_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Premium.css	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Verve.thmx	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\DataType\Status.accft	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\STSLIST.CHM	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
988	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	26
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	26
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	26
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	26

C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
"C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
  "C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe" n2016
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
  "C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe" n2016
  2⤵
  PID:272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads