Overview

overview

10

Static

static

10

bc0ed3e73b...49.exe

windows7_x64

10

bc0ed3e73b...49.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    02-04-2021 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.exe

  • Size

    34KB

  • MD5

    67d32736c5e1300c21329f956da836ab

  • SHA1

    15c705cc01650bbf0db7bd0229edadb5f4ee9cf7

  • SHA256

    bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49

  • SHA512

    33ec980170d703e43d67dbad2c1fef5855020291e139aa7e7bb1c96d446d27b7f187910df10bf183de86b882ffdd9dbc30715eafe74ae24edba4341fbcfa7eb8

Score
10/10
makopransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "dark" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: revilsupport@privatemail.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

revilsupport@privatemail.com

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.exe
    "C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.exe"
    1⤵
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.exe
      "C:\Users\Admin\AppData\Local\Temp\bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49.exe" n892
      2⤵
        PID:1996
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1760
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1236
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:348
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1300
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1452
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1900
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:1824
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          1⤵
            PID:1736
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x590
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:680

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Command-Line Interface

          1
          T1059

          Persistence

          Privilege Escalation

          Defense Evasion

          File Deletion

          3
          T1107

          Install Root Certificate

          1
          T1130

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Inhibit System Recovery

          3
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Desktop\readme-warning.txt
            MD5

            d7d1c8f289acf5628041ccf7bc22f385

            SHA1

            54cea28b19226721e9930513042c8e6873249158

            SHA256

            1fd3e071217de91918e7cd276e987ba1445d772b8b0bd45108d8065ee5255326

            SHA512

            7fda59042f6d7cb491955d782b835d42417e7dffbae690f2b4a831d41c4db0956d60a9d9be6a1f32f496c59c71e41ea26688813cd09bd054f42c6f8fe6189d63

            Download Submit
          • memory/348-8-0x0000000000000000-mapping.dmp
            Download
          • memory/892-2-0x0000000074D91000-0x0000000074D93000-memory.dmp
            Filesize

            8KB

            Download
          • memory/972-9-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp
            Filesize

            2.5MB

            Download
          • memory/1236-6-0x0000000000000000-mapping.dmp
            Download
          • memory/1236-7-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1760-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1988-4-0x0000000000000000-mapping.dmp
            Download