Analysis
-
max time kernel
147s -
max time network
130s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 05:01
General
-
Target
μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe
-
Size
196KB
-
MD5
2b581dad6e832d91b1e03ad22ead74a3
-
SHA1
f9b81dba7907a7f95690a09eb4d71c74fd753f75
-
SHA256
ff91860e1c0ee0dda06ef8e326e2e284ee7ec0de97ee80348720c5ab637f8cf5
-
SHA512
2c9e568c6f104a406cad3fc68618d15f839833e01a791755223e7f6e55bc6dc656c56e74b1160c0923aaaef473e3aefcf782ee7d1ec7220a1cdb12d1c959afe5
Score
10/10
Malware Config
Extracted
Path
C:\readme-warning.txt
Family
makop
Ransom Note
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen.
.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in bitcoins.
.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.
.4.
Q: How to contact with you?
A: You can write us to our mailbox: akzhq615@protonmail.com
.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.
.6.
Q: If I donοΏ½t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.
:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails
akzhq615@protonmail.com
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Adds Run entry to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 9162 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n12522⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n12522⤵
-
C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe"C:\Users\Admin\AppData\Local\Temp\μ΄λ ₯μ_κ²½λ ₯μ¬νμ λͺ¨λ κΈ°μ¬νμμ΅λλ€ νμΈλΆνλλ¦¬κ² μ΅λλ€ κ°μ¬ν©λλ€.exe" n12522⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-3-0x0000000000000000-mapping.dmp
-
memory/432-8-0x0000000000D3F000-0x0000000000D40000-memory.dmpFilesize
4KB
-
memory/432-9-0x00000000025A0000-0x00000000025B1000-memory.dmpFilesize
68KB
-
memory/820-7-0x0000000000000000-mapping.dmp
-
memory/1252-0-0x0000000000D7F000-0x0000000000D80000-memory.dmpFilesize
4KB
-
memory/1252-1-0x00000000025F0000-0x0000000002601000-memory.dmpFilesize
68KB
-
memory/1400-4-0x0000000000DEF000-0x0000000000DF0000-memory.dmpFilesize
4KB
-
memory/1400-5-0x00000000025F0000-0x0000000002601000-memory.dmpFilesize
68KB
-
memory/1444-2-0x0000000000000000-mapping.dmp
-
memory/1796-6-0x0000000000000000-mapping.dmp
-
memory/2004-10-0x000000000030F000-0x0000000000310000-memory.dmpFilesize
4KB
-
memory/2004-11-0x0000000002410000-0x0000000002421000-memory.dmpFilesize
68KB