Analysis
-
max time kernel
313s -
max time network
377s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-03-2021 22:02
General
-
Target
test.bin.exe
-
Size
281KB
-
MD5
41a1fa524a93929a68b58064bb1f86f7
-
SHA1
47f69f81ee8be286f28a3a37337ad711f71b17b3
-
SHA256
419f69ea6641f41f6f0ed44914ed3c8e9fcd0bd9b4ffcb720c60e3d682a9f78d
-
SHA512
39250ec6f09e97cd5cd593038510eb414b680f4b9d112b7f2ff9dc017566671f23100aa01404ace8ecedee3510d1ea1fd8284bacbac1872224f522ce653ffb2d
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\623761351\readme-warning.txt
makop
vassago0213@airmail.cc
vassago_0213@tutanota.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe" n43483⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bin.exe"C:\Users\Admin\AppData\Local\Temp\test.bin.exe" n43484⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\402991629MD5
6c14653c6fc51d18a3eaa9dbe2dc3571
SHA1fd94412c5464d3f70249a63557892878a8fab1d8
SHA256f965aebe334d339219ba0a86ed6a0eb672d01f799372889571b4a97d2ee999de
SHA512d6a6d2eb9470c012714719a94a41eb466aa83907b38b7b2d85e363f5680d082cba130b81776d6843278aa93092915251928b50088d68cd27ccaffcb375781f95
-
C:\Users\Admin\AppData\Roaming\402991629MD5
52b8b293ea78fab9028a304685e33dfa
SHA138c96fa239ca67a5c4b31b92dbc9975655012113
SHA2564db174c4ae9be069fed1548e433b2e6d972afed90bb6978e36ba3b7e819deb6f
SHA512b7d218fdaa79c2ef00902f57206227f8e6f9fc7d4adeff21942a51fc815c226b7a480aa7f88112c3bab7583c993a1818f0d4e4b7edc677f0793f18eb572fe432
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\JRE Test.lnkMD5
fb76767237045c335edfcea364cbf0a4
SHA18a3da944b07b88230e7091f76621ba10e46f80a4
SHA256d90b5ec0a64dde7104b49e596b16e480c1654b97d3880148d640b060ed7f2738
SHA512fbd3384b70248befd37fc9c93510a366c88ecc288c4be5da26d1e6675b9fad4e4be90ca179129b21e6fb1e516c584ed0953793aa998bbdbd8eb60a506b32e8f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\JRE Test.lnkMD5
2993bdd43de8cf9d200f5dfe48342be1
SHA16b1346438f7b059f3f9512ce4034daac89b63c49
SHA2565c7a77706fc64962d4b7c8b7065d095314fbbd094ab0bf2b1d1b54a4060dc6e9
SHA5127e8a4bfdd8710a74bd82f6ecf8e4c332e430a4d981f8de475f48a2364095247f362c028b49cb6aa99cda13d7316571dbaf026ff4f07c2a238f4e30f7dd61ccc3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\Uninstall.lnkMD5
25ab4eea1cb84678649ef5b68aaa095a
SHA1c8ab413409e8ff0cbf632a83a14970b5002358c9
SHA256d0789a4edf60d327edb3f5571da2ae80a6fc57ba4e746ebcb12b58725e674cbf
SHA512ddf80d4499e935c70ac770b93034d7e1820fe3b90313ae13ff4912a857cb52b5309589b4ee252cd0815d65a1631e70bd701568b82fa0c3c7c67c5899ebb9a81d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\JRE Test\Uninstall.lnkMD5
1eaaa5152192006b8d6b4cb50d6b6de8
SHA18badd53ecf73e0ef4f50a2b15bf1b82492506462
SHA256faa67fa75628f8f8418378cd6a276e6e78a7331ea7290c3e0db15140c235ec40
SHA512de86a5a102b4ee1c4d608c9912fbbb63e426c2e6c2ed022672131a8a8a95f123058fda851fe53ea7dd06888ebc9719f782ba0ccd8c2d538ff65ea66e4688a5d2
-
\Users\Admin\AppData\Local\Temp\nso43F5.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nsx72B6.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/904-11-0x0000000000000000-mapping.dmp
-
memory/1720-13-0x0000000000000000-mapping.dmp
-
memory/2240-14-0x0000000000405680-mapping.dmp
-
memory/4076-5-0x0000000000000000-mapping.dmp
-
memory/4344-6-0x0000000000000000-mapping.dmp
-
memory/4348-4-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4348-3-0x0000000000405680-mapping.dmp
-
memory/4396-10-0x0000000000000000-mapping.dmp