Overview

overview

10

Static

static

1

AnyDesk.exe

windows7_x64

10

AnyDesk.exe

windows10_x64

10

Resubmissions

17-01-2021 18:22

210117-p2y29rzwds 10

05-01-2021 05:07

210105-svmjjn3wwa 10

Analysis

  • max time kernel
    145s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-01-2021 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk.exe

  • Size

    262KB

  • MD5

    53e7b9e873404afdd22cdeba41b4e1c9

  • SHA1

    18b1a19f826e9d48d5776f6e3c279547f3ff517d

  • SHA256

    c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

  • SHA512

    ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd

Score
10/10
makoppersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: moloch_helpdesk@tutanota.com or moloch_helpdesk@protonmail.ch .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

moloch_helpdesk@tutanota.com

moloch_helpdesk@protonmail.ch

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 9681 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
          4⤵
            PID:964
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1532
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:900
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
          3⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:840
          • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
            "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
            4⤵
              PID:948
          • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
            "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
            3⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
              "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
              4⤵
                PID:1036
            • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
              "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
              3⤵
              • Loads dropped DLL
              PID:1928
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1080
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:856
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:344

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            3
            T1107

            Modify Registry

            2
            T1112

            Install Root Certificate

            1
            T1130

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Inhibit System Recovery

            3
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\827763568
              MD5

              dbdbdbd7c85332a9fbf1bba97560a0f2

              SHA1

              1c9489611459f5966a7729a8f7410e18be60ebd1

              SHA256

              501d82e8f4170bbaa3aabeb160792463609b4df3dcfac734d915acb576f2c52b

              SHA512

              4c77456ed008cb5e176873b401ab8e21da36bddde5e6460cfc844a74e2effed6716608e1abb29ba485f91a2c073e11dcb5fd923f6ddb017d3ab5ec8cc79126b2

              Download Submit
            • C:\Users\Admin\AppData\Roaming\827763568
              MD5

              bc251d6a9f3408d4a2ff3add1d27ad3d

              SHA1

              99091c8e7a4ce7df879e157ddfba12d60095b1a9

              SHA256

              6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

              SHA512

              23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

              Download Submit
            • C:\Users\Admin\AppData\Roaming\827763568
              MD5

              6d41617a73665f559cb4166aaf5dbb82

              SHA1

              05c40171c3f8b6355f262c84f8511009c2cdbd6d

              SHA256

              fd830e2f0b028cdaa59cf9cb46c0b8bb63e27b4ac2a5f2477ea7a980a2dde8cd

              SHA512

              bd911c79406f6bb306e3c4d4bfaf8c420bafe317921520e9d99d8a9b696aaa173b8d2f0eb0cd9b41cff32d9132f89a33e29f05bb21de78110c4c389d4e137cfd

              Download Submit
            • C:\Users\Admin\AppData\Roaming\827763568
              MD5

              bc251d6a9f3408d4a2ff3add1d27ad3d

              SHA1

              99091c8e7a4ce7df879e157ddfba12d60095b1a9

              SHA256

              6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

              SHA512

              23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

              Download Submit
            • C:\Users\Admin\AppData\Roaming\827763568
              MD5

              2bb8c16685e5cb863a94051453b77e80

              SHA1

              66ccd01871337de9995fbf30cc717f86c10ebcbf

              SHA256

              e279b46faf01187b52c90f9b182c2621b0f8ec0ad64036eae33a2b94a77ee163

              SHA512

              0fa00bcd299c527cc0d4064188a4e603d0d0abd75755dcde840808fab003db483342c50428230f283e0b0d6f6e8c6e65deae8f39e7f4b6b74f7149101549bf02

              Download Submit
            • C:\Users\Admin\AppData\Roaming\827763568
              MD5

              bc251d6a9f3408d4a2ff3add1d27ad3d

              SHA1

              99091c8e7a4ce7df879e157ddfba12d60095b1a9

              SHA256

              6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

              SHA512

              23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

              Download Submit
            • \??\PIPE\wkssvc
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsdE17A.tmp\System.dll
              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsi5B2B.tmp\System.dll
              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsn2DB6.tmp\System.dll
              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsx4EDC.tmp\System.dll
              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsy65F5.tmp\System.dll
              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              Download Submit
            • memory/900-10-0x0000000000000000-mapping.dmp
              Download
            • memory/948-20-0x0000000000405A20-mapping.dmp
              Download
            • memory/964-13-0x0000000000405A20-mapping.dmp
              Download
            • memory/1036-25-0x0000000000405A20-mapping.dmp
              Download
            • memory/1420-5-0x0000000000400000-0x000000000041E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/1420-4-0x0000000000405A20-mapping.dmp
              Download
            • memory/1420-3-0x0000000000400000-0x000000000041E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/1528-16-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp
              Filesize

              2.5MB

              Download
            • memory/1528-6-0x0000000000000000-mapping.dmp
              Download
            • memory/1532-7-0x0000000000000000-mapping.dmp
              Download
            • memory/1592-11-0x0000000000000000-mapping.dmp
              Download