Overview

overview

10

Static

static

1

Fat32Formatter.exe

windows7_x64

10

Fat32Formatter.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-01-2021 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fat32Formatter.exe

  • Size

    276KB

  • MD5

    57bfa19c46f1b511836845dc3cf660f3

  • SHA1

    a90e180b514f4cdd8a5db72b4d65c42c1fb1e389

  • SHA256

    e85e974255245ba41d391acc207908eeddb5ec95285e5375496a89617c5fb843

  • SHA512

    f3dce6d32e009000618c3f3dc0939e1bca21ad4bf3a1ae46a74fafcff54884d07be751dad610790db3e92c116a5878f76a8c7b5aaae892fef702ca912239d48a

Score
10/10
makoppersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: agares_helpdesk@tutanota.com or agares@airmail.cc .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

agares_helpdesk@tutanota.com

agares@airmail.cc

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 9659 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
    "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
      "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
        "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
          "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
          4⤵
            PID:212
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1056
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:1864
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
        • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
          "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
          3⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
            "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
            4⤵
              PID:228
          • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
            "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
            3⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
              "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
              4⤵
                PID:1020
            • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
              "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
              3⤵
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1868
              • C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe
                "C:\Users\Admin\AppData\Local\Temp\Fat32Formatter.exe" n1412
                4⤵
                  PID:1780
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:924
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1356
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:736
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
                PID:1592

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Command-Line Interface

              1
              T1059

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              File Deletion

              3
              T1107

              Modify Registry

              2
              T1112

              Install Root Certificate

              1
              T1130

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Inhibit System Recovery

              3
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                66b375164f57712c80d05da2e514ee47

                SHA1

                565ee056235964cfa84ff08f6f0b7aeac9407a94

                SHA256

                4fede40c5b690413a9e6ac4a4125930a23a987604f7a703755a2ba38d429bff3

                SHA512

                b20d29eaf1af3473b2cd820938bfece1f2f61be2f72ca518cbe537fe0615d083c6e184750db9c70d053ea6f7528d5d4df014c7802836ce7e03eb7ac067986868

                Download Submit
              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                bb142cd23c450d199e7932c0d1c4825d

                SHA1

                72302e59c731e98ea1482a7bddce5fd32c2fc55a

                SHA256

                4dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2

                SHA512

                925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                50ac4bfa70127e554a2e8a4d3e6618d5

                SHA1

                b3419bfcd8eee7cf25f5b210608a4a28a6ced56d

                SHA256

                55a9ba94c74a68976c9abade2532a92108b64711f8becdaba1f947015622d63f

                SHA512

                010da422d64feef14a911e855aee5fac9cffb9ca4b939558e9c82d85d98a95995afdc91cee8974bf031cd07bad12d9e0b159195d6e3cc23e0575e0a2e5cf88b9

                Download Submit
              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                bb142cd23c450d199e7932c0d1c4825d

                SHA1

                72302e59c731e98ea1482a7bddce5fd32c2fc55a

                SHA256

                4dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2

                SHA512

                925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                c33b28c068ddc979854069ff70a00d99

                SHA1

                aace5f97df6a2948e704b65781eab2a3f0ddba84

                SHA256

                0a979cae49018bfdc7a4a6dc25f55e8d201f45708b3239c891605df3dd5cc180

                SHA512

                3d30776c6b744520452afc4d8722b605ee406e8cd6c7d79f1a3aac8dfa37abe177bb4bde456f2b1d153e266e62aef4aeec1e42bd2e33e57e287fa7e1d0019e94

                Download Submit
              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                bb142cd23c450d199e7932c0d1c4825d

                SHA1

                72302e59c731e98ea1482a7bddce5fd32c2fc55a

                SHA256

                4dfe99c8d27a3cdb4e2ea5fd8494849439fb71c5d868aa2e520e8e5a0c713fb2

                SHA512

                925dd03e439e79bd08dd66d4e9ff4c8ea44b7e6a7f2d686493e8dcf9f9bae12b0e21cfcf08381620c11a517a8b282642a6187b4a4bc982d97ed26edc3085656f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\383576795
                MD5

                f389e8dccce195aff7445063eb4ff60d

                SHA1

                e57fe424078785c90d10cc906fe1f1d8f87485ed

                SHA256

                d1b1f51a7509d68d484b1049e59f52c64f09c7e291036fdcc077fe72357ea7f2

                SHA512

                d4982e294fb9b5a956787f5b2298dfebd866f575cd3aea234592456e1dede4ac04c04493a650e1c153c875a1a81d90a9ab2e6f42919bd1f25b554a3a058d88d5

                Download Submit
              • \??\PIPE\wkssvc
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • \Users\Admin\AppData\Local\Temp\nsc15B3.tmp\System.dll
                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

                Download Submit
              • \Users\Admin\AppData\Local\Temp\nsi2D39.tmp\System.dll
                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

                Download Submit
              • \Users\Admin\AppData\Local\Temp\nsn188.tmp\System.dll
                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

                Download Submit
              • \Users\Admin\AppData\Local\Temp\nsy206D.tmp\System.dll
                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

                Download Submit
              • \Users\Admin\AppData\Local\Temp\nsyA729.tmp\System.dll
                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

                Download Submit
              • memory/212-15-0x0000000000405A20-mapping.dmp
                Download
              • memory/228-23-0x0000000000405A20-mapping.dmp
                Download
              • memory/236-19-0x000007FEF77E0000-0x000007FEF7A5A000-memory.dmp
                Filesize

                2.5MB

                Download
              • memory/1020-30-0x0000000000405A20-mapping.dmp
                Download
              • memory/1056-8-0x0000000000000000-mapping.dmp
                Download
              • memory/1412-9-0x0000000000400000-0x000000000041E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/1412-4-0x0000000000405A20-mapping.dmp
                Download
              • memory/1620-14-0x0000000000000000-mapping.dmp
                Download
              • memory/1636-2-0x00000000761E1000-0x00000000761E3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1664-6-0x0000000000000000-mapping.dmp
                Download
              • memory/1780-38-0x0000000000405A20-mapping.dmp
                Download
              • memory/1864-13-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1864-12-0x0000000000000000-mapping.dmp
                Download