Overview

overview

10

Static

static

이력서.xll

windows7_x64

10

이력서.xll

windows10-2004_x64

1

Analysis

  • max time kernel
    4294180s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    23-03-2022 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    이력서.xll

  • Size

    667KB

  • MD5

    c181e7eaacbcfe010375a857460a76c6

  • SHA1

    eccc90dfd24abcebc0d20b733e4ec0c713be3763

  • SHA256

    549cf5de7d7221009f46b148b59dc529de794d2dfd70b81ef3717c25a3de5360

  • SHA512

    1d007f214e3b6644492e1dbfc87df331d62df74c45b168875a6da5a5730c694c1407b8bdf65a6a06ee729db996141acb02977c5e5c1eaebe6815385f2ace9f2a

Score
10/10
makopransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\687173798\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "snick" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\이력서.xll
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\ssee.exe
      "C:\Users\Admin\AppData\Local\Temp\ssee.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Users\Admin\AppData\Local\Temp\ssee.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Users\Admin\AppData\Local\Temp\ssee.exe
          "C:\Users\Admin\AppData\Local\Temp\ssee.exe" n1560
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Users\Admin\AppData\Local\Temp\ssee.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:1824
          • C:\Users\Admin\AppData\Local\Temp\ssee.exe
            "{path}"
            5⤵
            • Executes dropped EXE
            PID:1412
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:708
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2020
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            5⤵
            • Deletes backup catalog
            PID:880
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1500
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:560
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:900
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1720

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/816-64-0x0000000007435000-0x0000000007437000-memory.dmp

        Filesize

        8KB

        Download

      • memory/816-58-0x0000000072D6D000-0x0000000072D78000-memory.dmp

        Filesize

        44KB

        Download

      • memory/816-63-0x0000000007390000-0x00000000073DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/816-54-0x000000002FD51000-0x000000002FD54000-memory.dmp

        Filesize

        12KB

        Download

      • memory/816-62-0x0000000004940000-0x000000000497C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/816-61-0x0000000007810000-0x0000000007994000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/816-65-0x000000000743B000-0x000000000744C000-memory.dmp

        Filesize

        68KB

        Download

      • memory/816-55-0x0000000071D81000-0x0000000071D83000-memory.dmp

        Filesize

        8KB

        Download

      • memory/816-60-0x0000000004510000-0x0000000004522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/816-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/880-93-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1316-73-0x0000000000640000-0x0000000000650000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1316-72-0x0000000004380000-0x00000000043E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1316-71-0x0000000000490000-0x000000000049A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1316-70-0x0000000000D40000-0x0000000000DD0000-memory.dmp

        Filesize

        576KB

        Download

      • memory/1560-87-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1560-88-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1560-83-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1560-81-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1560-79-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1560-76-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1560-78-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1560-75-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download