Overview

overview

10

Static

static

c540c9b5b4...e1.exe

windows7_x64

10

c540c9b5b4...e1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c540c9b5b467d575f46433b78237f6e1

  • Size

    109KB

  • Sample

    211226-frz5xsbbg9

  • MD5

    c540c9b5b467d575f46433b78237f6e1

  • SHA1

    93dd622dc1268f598a47fe7c75efbce355097b98

  • SHA256

    5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a

  • SHA512

    29776896e4e5eef318389c3b618afe1a1ccb83e4eb41c42bcb108576a50953d760696bcf7531331678e00284a2d0320dba553070a2e0cc3bd7896802e82c9190

Score
10/10
makopdiscoveryevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Windows\tasks\readme-warning.txt

Ransom Note
All of your files have been encrypted. Your backup files as well. We have exfiltrated tons of your private data to our servers including data of your clients, dont believe us ? Read on. In order to restore your operations, avoid leaking/selling your data, and keep your business reputation intact, contact us directly on the below TOX ID as soon as possible. 1) TOX Download: https://tox.chat/ 2) TOX ID: 5D935FD670BAEF3EA1938D60B91709D421DE8E21381267A77E16ED0D5FB4E36334304E35A472 3) Install TOX and add the TOX ID in the step 2 4) Share your personal ID over TOX chat (Do not send hello without your personal ID provided below) Upon contacting us, proof will be provided that we can decrypt your data, and samples of exfiltrated confidential information will also be provided. Although its not our intention , if you do not cooperate , we will not hesitate to make your data public including any confidential data , sell to your competitors/bidders , or send your clients their data just to make you look really bad and lose your clients trust , or even worse , being prosecuted for not telling your affected clients that their data has been compromised. Talking to law enforcement will only ensure that you don't get a decryption key and put your business reputation on the line. Attention! - Do not rename encrypted files. - Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 6A239AB5
URLs

https://tox.chat/

Targets

    • Target

      c540c9b5b467d575f46433b78237f6e1

    • Size

      109KB

    • MD5

      c540c9b5b467d575f46433b78237f6e1

    • SHA1

      93dd622dc1268f598a47fe7c75efbce355097b98

    • SHA256

      5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a

    • SHA512

      29776896e4e5eef318389c3b618afe1a1ccb83e4eb41c42bcb108576a50953d760696bcf7531331678e00284a2d0320dba553070a2e0cc3bd7896802e82c9190

    Score
    10/10
    makopdiscoveryevasionransomwarespywarestealertrojan

    • MAKOP ransomware payload

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

      ransomwaremakop

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks