Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 03:53
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v200430
General
-
Target
1.exe
-
Size
219KB
-
MD5
7e6a1a7b83ebc2ae8445e9421d18fc8d
-
SHA1
69ea7bfdf164afb80e68643722e687f35ac87cdc
-
SHA256
4aa3ae979ad5fb790408c90ebe653592f5861eb7b8dac54cad59e9ac1c54bac4
-
SHA512
fbc5d8b1cfb8d875108cf729d0f59e55f4f729884237f1aca001ec5b937748695c27fe283806d58c11a1874dac88003fb2369226878455b4f5e5ca96fe1b2d23
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
akzhq00705@protonmail.com
Signatures
-
Processes:
wbadmin.exepid process 1940 wbadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1.exepid process 740 1.exe -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Drops file in Program Files directory 9754 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG 1.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Oriel.thmx 1.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg 1.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0234266.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\SIGN.DPV 1.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui 1.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7B.GIF 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png 1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane 1.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_INIT.XSN 1.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\readme-warning.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105332.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF 1.exe File opened for modification C:\Program Files\SaveDisable.potm 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\readme-warning.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\STORYBB.POC 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00542_.WMF 1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png 1.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF 1.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\readme-warning.txt 1.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105234.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF 1.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14795_.GIF 1.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD14997_.GIF 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML 1.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\readme-warning.txt 1.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0240157.WMF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar 1.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL 1.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
1.execmd.exedescription pid process target process PID 740 wrote to memory of 1056 740 1.exe cmd.exe PID 740 wrote to memory of 1056 740 1.exe cmd.exe PID 740 wrote to memory of 1056 740 1.exe cmd.exe PID 740 wrote to memory of 1056 740 1.exe cmd.exe PID 1056 wrote to memory of 1532 1056 cmd.exe vssadmin.exe PID 1056 wrote to memory of 1532 1056 cmd.exe vssadmin.exe PID 1056 wrote to memory of 1532 1056 cmd.exe vssadmin.exe PID 1056 wrote to memory of 1940 1056 cmd.exe wbadmin.exe PID 1056 wrote to memory of 1940 1056 cmd.exe wbadmin.exe PID 1056 wrote to memory of 1940 1056 cmd.exe wbadmin.exe PID 1056 wrote to memory of 1564 1056 cmd.exe WMIC.exe PID 1056 wrote to memory of 1564 1056 cmd.exe WMIC.exe PID 1056 wrote to memory of 1564 1056 cmd.exe WMIC.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1532 vssadmin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\"" 1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1768 vssvc.exe Token: SeRestorePrivilege 1768 vssvc.exe Token: SeAuditPrivilege 1768 vssvc.exe Token: SeBackupPrivilege 1852 wbengine.exe Token: SeRestorePrivilege 1852 wbengine.exe Token: SeSecurityPrivilege 1852 wbengine.exe Token: SeIncreaseQuotaPrivilege 1564 WMIC.exe Token: SeSecurityPrivilege 1564 WMIC.exe Token: SeTakeOwnershipPrivilege 1564 WMIC.exe Token: SeLoadDriverPrivilege 1564 WMIC.exe Token: SeSystemProfilePrivilege 1564 WMIC.exe Token: SeSystemtimePrivilege 1564 WMIC.exe Token: SeProfSingleProcessPrivilege 1564 WMIC.exe Token: SeIncBasePriorityPrivilege 1564 WMIC.exe Token: SeCreatePagefilePrivilege 1564 WMIC.exe Token: SeBackupPrivilege 1564 WMIC.exe Token: SeRestorePrivilege 1564 WMIC.exe Token: SeShutdownPrivilege 1564 WMIC.exe Token: SeDebugPrivilege 1564 WMIC.exe Token: SeSystemEnvironmentPrivilege 1564 WMIC.exe Token: SeRemoteShutdownPrivilege 1564 WMIC.exe Token: SeUndockPrivilege 1564 WMIC.exe Token: SeManageVolumePrivilege 1564 WMIC.exe Token: 33 1564 WMIC.exe Token: 34 1564 WMIC.exe Token: 35 1564 WMIC.exe Token: SeIncreaseQuotaPrivilege 1564 WMIC.exe Token: SeSecurityPrivilege 1564 WMIC.exe Token: SeTakeOwnershipPrivilege 1564 WMIC.exe Token: SeLoadDriverPrivilege 1564 WMIC.exe Token: SeSystemProfilePrivilege 1564 WMIC.exe Token: SeSystemtimePrivilege 1564 WMIC.exe Token: SeProfSingleProcessPrivilege 1564 WMIC.exe Token: SeIncBasePriorityPrivilege 1564 WMIC.exe Token: SeCreatePagefilePrivilege 1564 WMIC.exe Token: SeBackupPrivilege 1564 WMIC.exe Token: SeRestorePrivilege 1564 WMIC.exe Token: SeShutdownPrivilege 1564 WMIC.exe Token: SeDebugPrivilege 1564 WMIC.exe Token: SeSystemEnvironmentPrivilege 1564 WMIC.exe Token: SeRemoteShutdownPrivilege 1564 WMIC.exe Token: SeUndockPrivilege 1564 WMIC.exe Token: SeManageVolumePrivilege 1564 WMIC.exe Token: 33 1564 WMIC.exe Token: 34 1564 WMIC.exe Token: 35 1564 WMIC.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Processes:
1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe" n7402⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe" n7402⤵
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe" n7402⤵
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe" n7402⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\browser
-
\??\PIPE\wkssvc
-
memory/520-14-0x00000000036F0000-0x0000000003701000-memory.dmpFilesize
68KB
-
memory/520-13-0x0000000003428000-0x0000000003439000-memory.dmpFilesize
68KB
-
memory/740-1-0x0000000003600000-0x0000000003611000-memory.dmpFilesize
68KB
-
memory/740-0-0x0000000003398000-0x00000000033A9000-memory.dmpFilesize
68KB
-
memory/1056-2-0x0000000000000000-mapping.dmp
-
memory/1532-3-0x0000000000000000-mapping.dmp
-
memory/1564-7-0x0000000000000000-mapping.dmp
-
memory/1572-11-0x0000000003590000-0x00000000035A1000-memory.dmpFilesize
68KB
-
memory/1572-10-0x0000000003368000-0x0000000003379000-memory.dmpFilesize
68KB
-
memory/1648-4-0x00000000002B8000-0x00000000002C9000-memory.dmpFilesize
68KB
-
memory/1648-5-0x0000000003380000-0x0000000003391000-memory.dmpFilesize
68KB
-
memory/1940-6-0x0000000000000000-mapping.dmp
-
memory/2004-9-0x0000000003670000-0x0000000003681000-memory.dmpFilesize
68KB
-
memory/2004-8-0x0000000003378000-0x0000000003389000-memory.dmpFilesize
68KB