makop | ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237

General

Target

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
Size

34KB
MD5

eaf04bb5f9fff5b07b81bede9a3ea549
SHA1

62d1c4da546502605c23d01d050bb63cf4c18022
SHA256

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237
SHA512

140407b691d73daab459003b7402af252c648756ea2f1cbc785fd9ec64c2432b0d0588f97c2beef629914998d7f78698a03aa0beab914bd0f7baba15fb5571d6

Score

10^/10

makop persistence ransomware

Malware Config

Extracted

Path

C:\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "shootlock" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: n0pr0blems@protonmail.com or troubleshooter@cock.li .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

n0pr0blems@protonmail.com

troubleshooter@cock.li

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConvertRegister.tiff	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Drops startup file 1 IoCs

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe\""	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\73LCGY58\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FT5Z4PS4\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3765897441-2376744223-3151462503-1000\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23JH2T2F\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RXSZRW3N\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\0DHL2DSS\desktop.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\RES98.POC	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.[5FA4DA0B].[n0pr0blems@protonmail.com].shootlock	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\THMBNAIL.PNG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105502.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\CompleteUninstall.dotx	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12.dll.mui	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LAYERS\THMBNAIL.PNG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OLKIRMV.XML	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.security	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\EXPEDITN\EXPEDITN.INF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA01164_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Premium.css	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Verve.thmx	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\DataType\Status.accft	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\STSLIST.CHM	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

988 NOTEPAD.EXE

pid	process
988	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe

description	pid	process	target process
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	cmd.exe
PID 2016 wrote to memory of 2044	2016	ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
"C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
"C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe" n2016
2⤵
PID:2032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
"C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe" n2016
2⤵
PID:272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme-warning.txt
MD5
d9b39b0b144ebf984a10858ec3075bde

SHA1
4cb464c0c1f8db90517a2c63d251c857c34280c0

SHA256
d5bbc0edb980ad945ddb00878899fe4f8b726f266afe46745b789bd5c6f67e21

SHA512
5e1591ab5fe9f0b546db6ac62184b4879b7d9c05b9e6c35dec94287af17802636e3121e9c225ae65adea5ace009acf75db2edd79983156ace6090755fea0065c

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads