makop | 08810549d87143439b0293f5772766cacaeebf217d692ddfb776f916f8b582fd

General

Target

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Size

42KB
MD5

d29a5ac669fd239a2df8a7ba6bad4b75
SHA1

b18e00d53474c95fa0720b1720557e4d9a09f161
SHA256

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512
SHA512

c1e104375d445d7431fd68d0cb6731e459aa0be5b8495bcdca147d0052aa18e4a1f0817d54e2b72489cc9668772c36d6243f716cf542d48a3514f4fb3060a7b6

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\675896595\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: makopransom@outlook.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

makopransom@outlook.com

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

976 wbadmin.exe

pid	process
976	wbadmin.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\MountNew.tiff	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.ELM	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\sRGB.pf	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeLetter.Dotx	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+4	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\eBook.api	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151067.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_spellcheck.gif	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105504.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\readme-warning.txt	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1136 vssadmin.exe

pid	process
1136	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

pid process

1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

pid	process
1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1164	vssvc.exe
Token: SeRestorePrivilege	1164	vssvc.exe
Token: SeAuditPrivilege	1164	vssvc.exe
Token: SeBackupPrivilege	1744	wbengine.exe
Token: SeRestorePrivilege	1744	wbengine.exe
Token: SeSecurityPrivilege	1744	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

pid process

1836 4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

pid	process
1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.execmd.exe

description	pid	process	target process
PID 1836 wrote to memory of 1572	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 1836 wrote to memory of 1572	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 1836 wrote to memory of 1572	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 1836 wrote to memory of 1572	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	cmd.exe
PID 1572 wrote to memory of 1136	1572	cmd.exe	vssadmin.exe
PID 1572 wrote to memory of 1136	1572	cmd.exe	vssadmin.exe
PID 1572 wrote to memory of 1136	1572	cmd.exe	vssadmin.exe
PID 1572 wrote to memory of 976	1572	cmd.exe	wbadmin.exe
PID 1572 wrote to memory of 976	1572	cmd.exe	wbadmin.exe
PID 1572 wrote to memory of 976	1572	cmd.exe	wbadmin.exe
PID 1572 wrote to memory of 1628	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1628	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1628	1572	cmd.exe	WMIC.exe
PID 1836 wrote to memory of 1508	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 1836 wrote to memory of 1508	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 1836 wrote to memory of 1508	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE
PID 1836 wrote to memory of 1508	1836	4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe
"C:\Users\Admin\AppData\Local\Temp\4339192e184bea89107928ccd5bcc1f5d4a928922361ab3f999926f74a0f6512.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1136

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:976

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
2⤵
PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme-warning.txt
MD5
fedc6e4006fbfceb0967ddf88f1ad348

SHA1
4d94294e5c2918e410502ebd6cf71e0b4dbdd6e6

SHA256
f5ffb8388a3b741156957f0b7e45321ed41a847880e44b4a9eac28a60001517a

SHA512
640fbb4be0b2aa88a295980c92f1d802ce4e39fdb40393370b21606c3517620e64ebb62dd5ee2e8c694935d6e89e5224d510752a621a748c654b75f509b93a6a

Download Submit
memory/976-56-0x0000000000000000-mapping.dmp

Download
memory/976-57-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1136-55-0x0000000000000000-mapping.dmp

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1572-54-0x0000000000000000-mapping.dmp

Download
memory/1628-58-0x0000000000000000-mapping.dmp

Download
memory/1836-53-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads