makop | 08810549d87143439b0293f5772766cacaeebf217d692ddfb776f916f8b582fd

General

Target

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Size

42KB
MD5

d29a5ac669fd239a2df8a7ba6bad4b75
SHA1

b18e00d53474c95fa0720b1720557e4d9a09f161
SHA256

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512
SHA512

c1e104375d445d7431fd68d0cb6731e459aa0be5b8495bcdca147d0052aa18e4a1f0817d54e2b72489cc9668772c36d6243f716cf542d48a3514f4fb3060a7b6

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\817767331\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: makopransom@outlook.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

makopransom@outlook.com

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1700 wbadmin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1700	wbadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POST98SP.POC	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME31.CSS	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234266.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18182_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239973.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\London	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig-office.xrm-ms	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.DAT	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00330_.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_it.properties	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

760 vssadmin.exe

pid	process
760	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

pid process

2012 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

pid	process
2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	1628	wbengine.exe
Token: SeRestorePrivilege	1628	wbengine.exe
Token: SeSecurityPrivilege	1628	wbengine.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.execmd.exe

description	pid	process	target process
PID 2012 wrote to memory of 332	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 2012 wrote to memory of 332	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 2012 wrote to memory of 332	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 2012 wrote to memory of 332	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 332 wrote to memory of 760	332	cmd.exe	vssadmin.exe
PID 332 wrote to memory of 760	332	cmd.exe	vssadmin.exe
PID 332 wrote to memory of 760	332	cmd.exe	vssadmin.exe
PID 332 wrote to memory of 1700	332	cmd.exe	wbadmin.exe
PID 332 wrote to memory of 1700	332	cmd.exe	wbadmin.exe
PID 332 wrote to memory of 1700	332	cmd.exe	wbadmin.exe
PID 332 wrote to memory of 540	332	cmd.exe	WMIC.exe
PID 332 wrote to memory of 540	332	cmd.exe	WMIC.exe
PID 332 wrote to memory of 540	332	cmd.exe	WMIC.exe
PID 2012 wrote to memory of 584	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 2012 wrote to memory of 584	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 2012 wrote to memory of 584	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 2012 wrote to memory of 584	2012	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"
1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe" n2012
2⤵
PID:592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:760

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1700

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
2⤵
PID:584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme-warning.txt
MD5
fedc6e4006fbfceb0967ddf88f1ad348

SHA1
4d94294e5c2918e410502ebd6cf71e0b4dbdd6e6

SHA256
f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a

SHA512
640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a

Download Submit
memory/332-54-0x0000000000000000-mapping.dmp

Download
memory/540-59-0x0000000000000000-mapping.dmp

Download
memory/584-60-0x0000000000000000-mapping.dmp

Download
memory/760-56-0x0000000000000000-mapping.dmp

Download
memory/1700-57-0x0000000000000000-mapping.dmp

Download
memory/1700-58-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

Filesize
8KB

Download
memory/2012-53-0x0000000075FA1000-0x0000000075FA3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads