makop | d07923f73f1b5f41ab02c3239468bc0eacfe31c02b84814b6bc522a98d9b4b22

General

Target

sample.exe
Size

486KB
MD5

237d76f961f8f550c4c4bbfab30153a6
SHA1

5682d74259f61ac05b4099159ebf62377fd7586f
SHA256

d07923f73f1b5f41ab02c3239468bc0eacfe31c02b84814b6bc522a98d9b4b22
SHA512

c3dc0cf584a3d6b074709174bb890a3c65412c5aff07c0ffa5d7fee0e3f9f02d4efb094913443349338e469bd6b9a6d73340e4ae28ebc73cb2d9f952ae2570c5

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "pecunia" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: pecunia0318@airmail.cc or pecunia0318@goat.si or pecunia0318@tutanota.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

pecunia0318@airmail.cc

pecunia0318@goat.si

pecunia0318@tutanota.com

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1224 wbadmin.exe
Loads dropped DLL 2 IoCs

Processes:

sample.exesample.exe

pid process

484 sample.exe
1532 sample.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1224	wbadmin.exe

pid	process
484	sample.exe
1532	sample.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

sample.exesample.exe

description	pid	process	target process
PID 484 set thread context of 1568	484	sample.exe	sample.exe
PID 1532 set thread context of 1700	1532	sample.exe	sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00330_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTEL.ICO	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\readme-warning.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	sample.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\readme-warning.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00440_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01548_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css	sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\readme-warning.txt	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_zh_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0217698.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar	sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\readme-warning.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1652 vssadmin.exe

pid	process
1652	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

sample.exe

pid process

1568 sample.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sample.exesample.exe

pid process

484 sample.exe
1532 sample.exe

pid	process
1568	sample.exe

pid	process
484	sample.exe
1532	sample.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1108	vssvc.exe
Token: SeRestorePrivilege	1108	vssvc.exe
Token: SeAuditPrivilege	1108	vssvc.exe
Token: SeBackupPrivilege	904	wbengine.exe
Token: SeRestorePrivilege	904	wbengine.exe
Token: SeSecurityPrivilege	904	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemProfilePrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeProfSingleProcessPrivilege	1776	WMIC.exe
Token: SeIncBasePriorityPrivilege	1776	WMIC.exe
Token: SeCreatePagefilePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeDebugPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeRemoteShutdownPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: 33	1776	WMIC.exe
Token: 34	1776	WMIC.exe
Token: 35	1776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1776	WMIC.exe
Token: SeSecurityPrivilege	1776	WMIC.exe
Token: SeTakeOwnershipPrivilege	1776	WMIC.exe
Token: SeLoadDriverPrivilege	1776	WMIC.exe
Token: SeSystemProfilePrivilege	1776	WMIC.exe
Token: SeSystemtimePrivilege	1776	WMIC.exe
Token: SeProfSingleProcessPrivilege	1776	WMIC.exe
Token: SeIncBasePriorityPrivilege	1776	WMIC.exe
Token: SeCreatePagefilePrivilege	1776	WMIC.exe
Token: SeBackupPrivilege	1776	WMIC.exe
Token: SeRestorePrivilege	1776	WMIC.exe
Token: SeShutdownPrivilege	1776	WMIC.exe
Token: SeDebugPrivilege	1776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1776	WMIC.exe
Token: SeRemoteShutdownPrivilege	1776	WMIC.exe
Token: SeUndockPrivilege	1776	WMIC.exe
Token: SeManageVolumePrivilege	1776	WMIC.exe
Token: 33	1776	WMIC.exe
Token: 34	1776	WMIC.exe
Token: 35	1776	WMIC.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

sample.exesample.execmd.exesample.exe

description	pid	process	target process
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 484 wrote to memory of 1568	484	sample.exe	sample.exe
PID 1568 wrote to memory of 1428	1568	sample.exe	cmd.exe
PID 1568 wrote to memory of 1428	1568	sample.exe	cmd.exe
PID 1568 wrote to memory of 1428	1568	sample.exe	cmd.exe
PID 1568 wrote to memory of 1428	1568	sample.exe	cmd.exe
PID 1428 wrote to memory of 1652	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 1652	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 1652	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 1224	1428	cmd.exe	wbadmin.exe
PID 1428 wrote to memory of 1224	1428	cmd.exe	wbadmin.exe
PID 1428 wrote to memory of 1224	1428	cmd.exe	wbadmin.exe
PID 1428 wrote to memory of 1776	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 1776	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 1776	1428	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe
PID 1532 wrote to memory of 1700	1532	sample.exe	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
2⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe" n1568
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe" n1568
4⤵
PID:1700

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1652

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1224

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1736

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\845939759
MD5
39fde6d7b2a5dd3b55c2504bf80eaa1f

SHA1
9bf70a8887e5f405026c0a64ac1465b5d66dbaf0

SHA256
7378922ccafe6f374522963c64d851167a7e810a135f0d5d374e5b3583055154

SHA512
05978ffd5e1879e5cdfb5a93661a617a6ff74f7873249520699e3a68f2a813e38865b32cdd61f8a435165b739b95d63e7502b4b223e77e97a40a62a50ec3d270

Download Submit
C:\Users\Admin\AppData\Roaming\845939759
MD5
436bc2a3e292a384e32f4b54a14413f7

SHA1
38b402d9bdab92bccbc175a02b8306fb7d1fdd97

SHA256
94c371e2963abb1cfe21de58c882712b350613387b381639b3352a0f1216d4c9

SHA512
aeb281ae34d6e0b9d0f0b50a7370b92969579106c7f3246bd2a332ea1ab74bb05b5798ef3bd45b98b1558bf5da0d7505fec2e7e40bf379caf3f17798de297753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
MD5
dddd61b91f2edea4cc818a41b665c7eb

SHA1
53ec4124ff31666ddde16743856f9d2ed640d616

SHA256
19097cb44a292ddf757d6a11aff9acd49401086aab8beced47909ba968ab47e1

SHA512
7c8528c687989d35a61ad836df4ba22030421c0a681d489ac57063eb23e272f013aa5062dcfe70370841e121b744b1b9d459ab79a00925a315ee4b57714998f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
MD5
8784e719f25d687af32360c89b87bbb3

SHA1
f65be84be7786ca34f20709791e9ec1e05549060

SHA256
677be18139a4ef1de574afa712735a58329a5dcf768dc4dd6c9f8b46b04b81c3

SHA512
48e7b42f4f164cdeade6c8d11ec3b9612eb118e9eb1d04bc8ffbaeb6b0a843acd6a69db67e3141e95ac1bd7a3718790e2fb364993a26ec4e9ea1a71f24c1c1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
MD5
a74d749e0e9961d702dec23afd3f7d1a

SHA1
5ea45c208ec7c382deef07a74e9f564190630bba

SHA256
a2f64cbc37acac83912a0896745088d70a25658a7f178d2f4e96647f1df36cde

SHA512
11dfa5d4ccd21853b9b3daecd608601c5182f994931c773d786c2e17f6381f15e94b618045e6c8ddf10ee9cf9433db3387bab9de011f6ccf4f0867400da30a71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
MD5
bd748c580a776de0f29af50fb9cac9ac

SHA1
9dcb94ad0cb7a2fbae57709db9946ac043de8d05

SHA256
36861e2a966db3581940acfd197597fb6297c929a1876914f4535bf849762a9b

SHA512
72f0bab43ca3db63654276438b070ffd991b29c1ea6a8c0044e6220c16a66a7eadbaebe9b0047c72c453b9a8a2ed80dc7cf22eaad62c2d0463a0f2e0fc8e4206

Download Submit
\Users\Admin\AppData\Local\Temp\nss52B3.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
\Users\Admin\AppData\Local\Temp\nss7E93.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/484-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1224-71-0x0000000000000000-mapping.dmp

Download
memory/1224-72-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1428-64-0x0000000000000000-mapping.dmp

Download
memory/1568-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1568-61-0x0000000000405680-mapping.dmp

Download
memory/1652-69-0x0000000000000000-mapping.dmp

Download
memory/1700-74-0x0000000000405680-mapping.dmp

Download
memory/1776-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads