Overview

overview

10

Static

static

이λ ₯μ„œ(...€).exe

windows7_x64

10

이λ ₯μ„œ(...€).exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10-02-2021 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    이λ ₯μ„œ(κ²½λ ₯μ‚¬ν•­μ΄λž‘ 같이 κΈ°μž¬ν•˜μ˜€μŠ΅λ‹ˆλ‹€ 잘 λΆ€νƒλ“œλ¦¬κ² μŠ΅λ‹ˆλ‹€).exe

  • Size

    40KB

  • MD5

    5c02cb26de796b4eb98d860530e9b7b5

  • SHA1

    30d0c096df1d09eb24b8cfc3663fa1ed7f351f49

  • SHA256

    20c4b391c9460dd00fb0907cb6cd67c60b7f87a2761851c360e0a60d984e111a

  • SHA512

    c60cbcc4b52674c49d5fbd3fb685427b0ece394c1f4b7bfd9f4c8b913153786c067b39a088205a05b826f49bfc40f56e8eedd83e72d447e94e9ebce84a5fa5b8

Score
10/10
makoppersistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "vassago" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: vassago_0203@tutanota.com or vassago0203@cock.li .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I donοΏ½t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

vassago_0203@tutanota.com

vassago0203@cock.li

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 16 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 5 IoCs
    evasion
  • Modifies registry class 30 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\이λ ₯μ„œ(κ²½λ ₯μ‚¬ν•­μ΄λž‘ 같이 κΈ°μž¬ν•˜μ˜€μŠ΅λ‹ˆλ‹€ 잘 λΆ€νƒλ“œλ¦¬κ² μŠ΅λ‹ˆλ‹€).exe
    "C:\Users\Admin\AppData\Local\Temp\이λ ₯μ„œ(κ²½λ ₯μ‚¬ν•­μ΄λž‘ 같이 κΈ°μž¬ν•˜μ˜€μŠ΅λ‹ˆλ‹€ 잘 λΆ€νƒλ“œλ¦¬κ² μŠ΅λ‹ˆλ‹€).exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\이λ ₯μ„œ(κ²½λ ₯μ‚¬ν•­μ΄λž‘ 같이 κΈ°μž¬ν•˜μ˜€μŠ΅λ‹ˆλ‹€ 잘 λΆ€νƒλ“œλ¦¬κ² μŠ΅λ‹ˆλ‹€).exe
      "C:\Users\Admin\AppData\Local\Temp\이λ ₯μ„œ(κ²½λ ₯μ‚¬ν•­μ΄λž‘ 같이 κΈ°μž¬ν•˜μ˜€μŠ΅λ‹ˆλ‹€ 잘 λΆ€νƒλ“œλ¦¬κ² μŠ΅λ‹ˆλ‹€).exe" n412
      2⤵
        PID:3984
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3464
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:4040
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1112
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3520
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:2896
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1680 -s 2644
        1⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4076
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1912
      • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
        "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
        1⤵
        • Modifies Control Panel
        • Suspicious use of SetWindowsHookEx
        PID:896
      • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:64

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      File Deletion

      3
      T1107

      Modify Registry

      2
      T1112

      Install Root Certificate

      1
      T1130

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Inhibit System Recovery

      3
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
        MD5

        f79d2318ae10f0308fce117af39d31cd

        SHA1

        f5c183bedbd4f88baa6ba7a6d1236f65eb6efc62

        SHA256

        8c4a92c1498db5e8d2833d1b8cd613087c7deb8c39b6a42e7e52ac5414cc5e9e

        SHA512

        a72b4fac2213c3f89d52b43f9ca33aa8e6df07a5ba18f8597524ebf012cf90f2fdd2dfcc13d964545bbdcbf44b24aa8c3bd987397534aa22f10d40b41a09e606

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db
        MD5

        9a3f988726ccc2e20078f2044ac6aa10

        SHA1

        bd188345ce30dfa7759eb77b96b9b3138a16afad

        SHA256

        56d056c3a61d29157a5119364ad1c36d0608325e5e5a5f8d1b3ad6075294b60f

        SHA512

        f028e20041de75f7aef3cc0401f2d1bbebc941cb23225abc0b825b6b5343b40bbe9328c85ca26183b222e3c5f4d46116097317af7e4679d38ac9ec5320b1c9c4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\WER91A4.tmp.appcompat.txt
        MD5

        7b2de83d510f9f843a6fd57aefa5cf14

        SHA1

        d11956c25021a5263dcb3a5911352522d28ec8b2

        SHA256

        5a46b4292ed627189ff06a006bca935aa9322bad894a2c0b4e9eec6e014e9ae2

        SHA512

        d149515cc2c4c97003853e33e5eb5171bd2e50740a3c7e0c9d380b4c8ef8cba9734f70e99a5cd9b3afe15486c337ff10af404732549a37fbfb68bd2bdd508b09

        Download Submit
      • C:\Users\All Users\Microsoft\Windows\WER\Temp\WER8F60.tmp.WERInternalMetadata.xml
        MD5

        38c1f41cabf09a5476db8e2c23420848

        SHA1

        08b9fd5a6e6fd658baa5ea9723a909763dc75317

        SHA256

        78ff571a91e46d45070a3cfcd4ed861a9b9da5667d4f8449bcf6ee887ec84d9f

        SHA512

        ef8f19a4a8d89bfc42da5cc0186333678a960f806fd054e85c5aa7af2c5191cf67eede40beee85910cbf1bcc0b052ce144510820b77d3da1aaebed1eb693563e

        Download Submit
      • memory/1112-6-0x0000000000000000-mapping.dmp
        Download
      • memory/3340-3-0x0000000000000000-mapping.dmp
        Download
      • memory/3464-4-0x0000000000000000-mapping.dmp
        Download
      • memory/3984-2-0x0000000000000000-mapping.dmp
        Download
      • memory/4040-5-0x0000000000000000-mapping.dmp
        Download
      • memory/4076-7-0x0000022F25BA0000-0x0000022F25BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-8-0x0000022F25BA0000-0x0000022F25BA1000-memory.dmp
        Filesize

        4KB

        Download