Overview

overview

10

Static

static

SecuriteIn...89.exe

windows7_x64

10

SecuriteIn...89.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-02-2021 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe

  • Size

    467KB

  • MD5

    1872d50febed32fe549f3c1257ede6bc

  • SHA1

    8f5d4c4c47e3d0e1071a974d92f8bba0d9ae4b6a

  • SHA256

    0ed05e4be5376f0cf391a78afc7a3114ffbfa064348fb66cd93e8ee6f6b27fe1

  • SHA512

    bdcfc894b05b73af687315aa7f2ed9643462a07cbc9a7aa95d635e00fae620c5247f6863d63af4b084fd5b488a88a4eb63bf3971744b3e6319622596899e5bdb

Score
10/10
makopevasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "WKSGJ" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: toddmhickey@outlook.com or jamiepenkaty@cock.li .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

toddmhickey@outlook.com

jamiepenkaty@cock.li

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Nirsoft 7 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe"
    1⤵
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe" /SpecialRun 4101d8 1672
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:332
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" -Force
      2⤵
        PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout 1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:632
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe"
        2⤵
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36380495.3131.9989.exe" n296
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1608
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1528
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:652
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1472
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:332
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:960
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:220

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Modify Registry

        5
        T1112

        Disabling Security Tools

        4
        T1089

        Bypass User Account Control

        1
        T1088

        File Deletion

        3
        T1107

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          MD5

          b0c90dda99a84ae09551bef11316c51c

          SHA1

          89d1844d70561a194f762c65490b7b4bff9ac451

          SHA256

          b9774b2264869b4b66f5c012e6d769bc35eb140f35e0bb9967c0ed21adbae80e

          SHA512

          3f72b025a47199dbd9cf51ed70023d736819dfd6df88a8854852cae96e32ed3805adcafaa77e0765c5efc97d1e2fbd36f354471e16b613d54bb25023d0950ca5

          Download Submit
        • \Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • \Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • \Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • \Users\Admin\AppData\Local\Temp\ad86f005-6749-425b-8c9c-48a4fddcb5a7\AdvancedRun.exe
          MD5

          17fc12902f4769af3a9271eb4e2dacce

          SHA1

          9a4a1581cc3971579574f837e110f3bd6d529dab

          SHA256

          29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

          SHA512

          036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          Download Submit
        • memory/296-34-0x00000000004053F0-mapping.dmp
          Download
        • memory/296-46-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/296-33-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/332-15-0x0000000000000000-mapping.dmp
          Download
        • memory/632-28-0x0000000000000000-mapping.dmp
          Download
        • memory/652-78-0x0000000000000000-mapping.dmp
          Download
        • memory/652-82-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp
          Filesize

          8KB

          Download
        • memory/892-85-0x0000000000000000-mapping.dmp
          Download
        • memory/952-22-0x0000000000000000-mapping.dmp
          Download
        • memory/1016-48-0x00000000052E0000-0x00000000052E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-57-0x00000000060C0000-0x00000000060C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-26-0x0000000000B80000-0x0000000000B81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-84-0x0000000006310000-0x0000000006311000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-83-0x0000000006300000-0x0000000006301000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-29-0x0000000004930000-0x0000000004931000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-30-0x00000000048F0000-0x00000000048F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-67-0x0000000005650000-0x0000000005651000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-32-0x00000000048F2000-0x00000000048F3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-18-0x0000000000000000-mapping.dmp
          Download
        • memory/1016-66-0x0000000006280000-0x0000000006281000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-36-0x0000000002610000-0x0000000002611000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-62-0x000000007EF30000-0x000000007EF31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-58-0x0000000006170000-0x0000000006171000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1016-24-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1016-52-0x0000000005690000-0x0000000005691000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1108-5-0x0000000004C70000-0x0000000004C71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1108-2-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1108-3-0x0000000001100000-0x0000000001101000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1108-6-0x0000000000540000-0x00000000005BC000-memory.dmp
          Filesize

          496KB

          Download
        • memory/1528-43-0x0000000000000000-mapping.dmp
          Download
        • memory/1608-47-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1608-38-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1636-25-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1636-19-0x0000000000000000-mapping.dmp
          Download
        • memory/1636-31-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1672-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1672-11-0x00000000760D1000-0x00000000760D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1696-37-0x0000000000000000-mapping.dmp
          Download
        • memory/1900-41-0x0000000000000000-mapping.dmp
          Download
        • memory/1900-42-0x00000000008C0000-0x00000000008D1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1900-49-0x0000000000260000-0x0000000000261000-memory.dmp
          Filesize

          4KB

          Download