Overview
overview
10Static
static
BS.exe
windows7_x64
10BS.exe
windows10_x64
10BuildS.exe
windows7_x64
10BuildS.exe
windows10_x64
10READS.exe
windows7_x64
10READS.exe
windows10_x64
10baseus_nowin.exe
windows7_x64
10baseus_nowin.exe
windows10_x64
10rbs.exe
windows7_x64
10rbs.exe
windows10_x64
10scan.exe
windows7_x64
1scan.exe
windows10_x64
1Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 09:41
Static task
static1
Behavioral task
behavioral1
Sample
BS.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
BS.exe
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
BuildS.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
BuildS.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
READS.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
READS.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
baseus_nowin.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
baseus_nowin.exe
Resource
win10-en-20210920
Behavioral task
behavioral9
Sample
rbs.exe
Resource
win7-en-20211014
Behavioral task
behavioral10
Sample
rbs.exe
Resource
win10-en-20210920
Behavioral task
behavioral11
Sample
scan.exe
Resource
win7-en-20211014
Behavioral task
behavioral12
Sample
scan.exe
Resource
win10-en-20210920
General
-
Target
baseus_nowin.exe
-
Size
40KB
-
MD5
ac64fa0e284f8717e24179768dedfa24
-
SHA1
fe8da0dcb6ab930841a85d17fba208cab1bb39a5
-
SHA256
98a668b3db762b0f9bd29a3d35d2f8b55b9922a4f968c1bcf0ef04e2c411f53f
-
SHA512
b0d1049b85582c4f4503b76133b3cc6549e823a7af474281ad5772a3b0f8081713e7a7574929ca8876c48c0545a75285a82d4a3db11a5a491da3da3987f39ae3
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\040745947\readme-warning.txt
makop
baseus0906@goat.si
pecunia0318@tutanota.com
pecunia0318@goat.si
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1328 wbadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 64 IoCs
Processes:
baseus_nowin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml baseus_nowin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Premium.css baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html baseus_nowin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQS.ICO baseus_nowin.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt baseus_nowin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png baseus_nowin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf.[FF5A5F9B].[baseus0906@goat.si].baseus baseus_nowin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\readme-warning.txt baseus_nowin.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui baseus_nowin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css baseus_nowin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.[FF5A5F9B].[baseus0906@goat.si].baseus baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG baseus_nowin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme-warning.txt baseus_nowin.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\readme-warning.txt baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia baseus_nowin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF baseus_nowin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar baseus_nowin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png baseus_nowin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00238_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS baseus_nowin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG baseus_nowin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png baseus_nowin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png baseus_nowin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\readme-warning.txt baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png baseus_nowin.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt baseus_nowin.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\readme-warning.txt baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9 baseus_nowin.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.[FF5A5F9B].[baseus0906@goat.si].baseus baseus_nowin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.INF baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF baseus_nowin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui baseus_nowin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png baseus_nowin.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF baseus_nowin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME04.CSS baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template baseus_nowin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml baseus_nowin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 564 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
baseus_nowin.exepid process 1456 baseus_nowin.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1104 vssvc.exe Token: SeRestorePrivilege 1104 vssvc.exe Token: SeAuditPrivilege 1104 vssvc.exe Token: SeBackupPrivilege 1632 wbengine.exe Token: SeRestorePrivilege 1632 wbengine.exe Token: SeSecurityPrivilege 1632 wbengine.exe Token: SeIncreaseQuotaPrivilege 1144 WMIC.exe Token: SeSecurityPrivilege 1144 WMIC.exe Token: SeTakeOwnershipPrivilege 1144 WMIC.exe Token: SeLoadDriverPrivilege 1144 WMIC.exe Token: SeSystemProfilePrivilege 1144 WMIC.exe Token: SeSystemtimePrivilege 1144 WMIC.exe Token: SeProfSingleProcessPrivilege 1144 WMIC.exe Token: SeIncBasePriorityPrivilege 1144 WMIC.exe Token: SeCreatePagefilePrivilege 1144 WMIC.exe Token: SeBackupPrivilege 1144 WMIC.exe Token: SeRestorePrivilege 1144 WMIC.exe Token: SeShutdownPrivilege 1144 WMIC.exe Token: SeDebugPrivilege 1144 WMIC.exe Token: SeSystemEnvironmentPrivilege 1144 WMIC.exe Token: SeRemoteShutdownPrivilege 1144 WMIC.exe Token: SeUndockPrivilege 1144 WMIC.exe Token: SeManageVolumePrivilege 1144 WMIC.exe Token: 33 1144 WMIC.exe Token: 34 1144 WMIC.exe Token: 35 1144 WMIC.exe Token: SeIncreaseQuotaPrivilege 1144 WMIC.exe Token: SeSecurityPrivilege 1144 WMIC.exe Token: SeTakeOwnershipPrivilege 1144 WMIC.exe Token: SeLoadDriverPrivilege 1144 WMIC.exe Token: SeSystemProfilePrivilege 1144 WMIC.exe Token: SeSystemtimePrivilege 1144 WMIC.exe Token: SeProfSingleProcessPrivilege 1144 WMIC.exe Token: SeIncBasePriorityPrivilege 1144 WMIC.exe Token: SeCreatePagefilePrivilege 1144 WMIC.exe Token: SeBackupPrivilege 1144 WMIC.exe Token: SeRestorePrivilege 1144 WMIC.exe Token: SeShutdownPrivilege 1144 WMIC.exe Token: SeDebugPrivilege 1144 WMIC.exe Token: SeSystemEnvironmentPrivilege 1144 WMIC.exe Token: SeRemoteShutdownPrivilege 1144 WMIC.exe Token: SeUndockPrivilege 1144 WMIC.exe Token: SeManageVolumePrivilege 1144 WMIC.exe Token: 33 1144 WMIC.exe Token: 34 1144 WMIC.exe Token: 35 1144 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
baseus_nowin.execmd.exedescription pid process target process PID 1456 wrote to memory of 1668 1456 baseus_nowin.exe cmd.exe PID 1456 wrote to memory of 1668 1456 baseus_nowin.exe cmd.exe PID 1456 wrote to memory of 1668 1456 baseus_nowin.exe cmd.exe PID 1456 wrote to memory of 1668 1456 baseus_nowin.exe cmd.exe PID 1668 wrote to memory of 564 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 564 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 564 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1328 1668 cmd.exe wbadmin.exe PID 1668 wrote to memory of 1328 1668 cmd.exe wbadmin.exe PID 1668 wrote to memory of 1328 1668 cmd.exe wbadmin.exe PID 1668 wrote to memory of 1144 1668 cmd.exe WMIC.exe PID 1668 wrote to memory of 1144 1668 cmd.exe WMIC.exe PID 1668 wrote to memory of 1144 1668 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\baseus_nowin.exe"C:\Users\Admin\AppData\Local\Temp\baseus_nowin.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\baseus_nowin.exe"C:\Users\Admin\AppData\Local\Temp\baseus_nowin.exe" n14562⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/564-57-0x0000000000000000-mapping.dmp
-
memory/1144-60-0x0000000000000000-mapping.dmp
-
memory/1328-58-0x0000000000000000-mapping.dmp
-
memory/1328-59-0x000007FEFC271000-0x000007FEFC273000-memory.dmpFilesize
8KB
-
memory/1456-54-0x0000000075651000-0x0000000075653000-memory.dmpFilesize
8KB
-
memory/1668-56-0x0000000000000000-mapping.dmp