Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10_x64 -
resource
win10v200410 -
submitted
28-04-2020 11:54
General
-
Target
ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe
-
Size
34KB
-
MD5
eaf04bb5f9fff5b07b81bede9a3ea549
-
SHA1
62d1c4da546502605c23d01d050bb63cf4c18022
-
SHA256
ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237
-
SHA512
140407b691d73daab459003b7402af252c648756ea2f1cbc785fd9ec64c2432b0d0588f97c2beef629914998d7f78698a03aa0beab914bd0f7baba15fb5571d6
Malware Config
Extracted
C:\readme-warning.txt
makop
n0pr0blems@protonmail.com
troubleshooter@cock.li
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 5 IoCs
-
Modifies registry class 33 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 48 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe"C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe"C:\Users\Admin\AppData\Local\Temp\ca02ecab5b5c652ade36462b319f3cf592c4ca83eec9f5f73e7db81cf8061237.exe" n18762⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3000 -s 70001⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-2136578390-2771164089-400866267-1000\desktop.iniMD5
57b9f32cb3f93417da5700a62c17bea5
SHA191246e2e7b83bec7f59c703ba7a403829900f385
SHA256ec7c3ad652c5114c9e5a2bcb85a289b179c20fd884f56b7ca13e9825cebd10f6
SHA512fcee2684c242096c70677793af609b49c1d93ced52d130908e4555d0a28b3265db484b5ef4dc3f2df99eeccae8492cee090a1239021a37af18ba8cd575c6beee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.dbMD5
1fc48d0e89b221a8d3fd07de5f7f1838
SHA1dace8bb55162228b308ff1ec3f1ef38c717a2ba5
SHA256c3ac8ad1540bd9facecbbc63fc061dbffefa808f9a796c76cdf0090cae3996ea
SHA51285eeda7e08ec7b84ed54fa353e6b33a7ae831fdcef9d288702661892fbddcb74d915c8bda62af389985b270e29e59a4aec56d2c8cc8046cbd28d56e7034d73a5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001a.dbMD5
077bdfe0b415d820992429cf3d7d8e8b
SHA1450ca27ace3ebfc5d2bf59c6e4c6a310a1d8c3d1
SHA256b679f371ca333ffcab5e1c520cea98e633873c489e5ee502356c6dc79015883c
SHA51246872997dd92adab0394bf8d7d432aae48a9505c7632ed956afb5a55bcc3e8a04ce27922c5eda3df446398bafd19b1088ac92ca42cf9a94b1882cb6b87b30799
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.dbMD5
1e0ee4120abf321422d72101cee09822
SHA1dd7c9492ca3b694d4d5ce1904d1ed1a1aca48ee9
SHA256ed7a8127be07a79a502512561e0cb05c88077c0d69dfd905fd7f3ed2a453dc3e
SHA512651ebd3214763cc00debdd2474823a8edf6bd312d05ed4db3f443c9b9b32c83f32f87c0416836678495ae7e07a92dbe2abad13d19ce28875833ad30dea8e6fbc
-
C:\Users\Admin\AppData\Local\Temp\WERD94.tmp.appcompat.txtMD5
676dbb7a4cbf907a67d683d288ec6507
SHA1ebdba48b4befad45b90d29550aefcae8ede7e216
SHA25615bd70c69cb2bc5cbe6009e75072481d9d27682f04dd238bd6d7e7364c48bfcb
SHA5125e3af2f3d11db0640d607fe0eae0cb8b9a74ae1965b8f22f76bad6d039654c4fa0bd864fb892a6861863492e7a07e6063c2a35b32ba7700b064b51174e13fda0
-
C:\Users\Admin\AppData\Local\Temp\{8A4D7B43-5FBE-4685-A18A-B92EA106E400}.pngMD5
084c987204fb7e7c5cc375099f6cb2ce
SHA1a685b1489cadb6fbed88398fb73fcce94afcebbb
SHA2569f56c9cafc46099d6f49cf909d850b16db87b39104162c9faac7e8a5766f9a2d
SHA512230d4bbfd15128abb39581990a853ea8b1fde26302f40ab878ad2c9669ee4de491267793640d8bcf145b3a36ae9e81bf31ff66f4f689a327e1ed814732683419
-
C:\Users\All Users\Microsoft\Windows\WER\Temp\WERBBE.tmp.WERInternalMetadata.xmlMD5
5f83050d46d8f96eb03cb1446ead8d2f
SHA1d9dce4272d0d397960e945432964cf651925ca76
SHA2568f678da14a53f58981e097d808bcecc51bb21fe7a13d9f15c7946e1f6b6ea9ba
SHA512b119fe13663999ab196f87d8283fd033391e5d72bfdf439f25fc5c32eb63f869d86f6de8d3942b9c6c081838bb59b53268cb20b0bd2a6b52bc7d869233e4e34d
-
memory/1500-147-0x0000017562140000-0x0000017562141000-memory.dmpFilesize
4KB
-
memory/1500-0-0x0000017560630000-0x0000017560631000-memory.dmpFilesize
4KB
-
memory/1500-12-0x0000017562200000-0x0000017562201000-memory.dmpFilesize
4KB
-
memory/1500-4-0x0000017561BA0000-0x0000017561BA1000-memory.dmpFilesize
4KB
-
memory/1500-157-0x0000017562140000-0x0000017562141000-memory.dmpFilesize
4KB
-
memory/1500-181-0x0000017562140000-0x0000017562141000-memory.dmpFilesize
4KB
-
memory/1500-199-0x0000017562140000-0x0000017562141000-memory.dmpFilesize
4KB
-
memory/1500-261-0x000001756C170000-0x000001756C171000-memory.dmpFilesize
4KB
-
memory/1500-3-0x0000017561BA0000-0x0000017561BA1000-memory.dmpFilesize
4KB
-
memory/1500-1-0x0000017560630000-0x0000017560631000-memory.dmpFilesize
4KB
