Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27/04/2022, 09:30
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
2.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
2.exe
Resource
win10v2004-20220414-en
General
-
Target
2.exe
-
Size
1.0MB
-
MD5
2d2f9219f2ae72a45a9f78f343622a2d
-
SHA1
5999180e2e40457a3c9ad375c870449710f00c61
-
SHA256
fde431d08dd6bc86638d72f8fe39f0562202f1183e23fd3ba42661913b337322
-
SHA512
9e8b0af7779e0a2b8b64ceb8b3df5495c79fee07c1e3224f8d400e024e4726a1b6881ce882529c23437f8cd7bb51254a9b11b22bc5f7d86f85e19039261fa46b
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3710417419\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4892 created 1516 4892 svchost.exe 82 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 2068 wbadmin.exe -
Loads dropped DLL 2 IoCs
pid Process 1252 2.exe 3392 2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1252 set thread context of 1516 1252 2.exe 82 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms 2.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\readme-warning.txt 2.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo 2.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo 2.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security 2.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat 2.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\readme-warning.txt 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle 2.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat 2.exe File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.policy 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV 2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\PREVIEW.GIF 2.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo 2.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-phn.xrm-ms 2.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\readme-warning.txt 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png 2.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\readme-warning.txt 2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx 2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF 2.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac 2.exe File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties 2.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\readme-warning.txt 2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar 2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms 2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4540 1252 WerFault.exe 80 4624 3392 WerFault.exe 86 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4524 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1516 2.exe 1516 2.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1252 2.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeTcbPrivilege 4892 svchost.exe Token: SeTcbPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4416 vssvc.exe Token: SeRestorePrivilege 4416 vssvc.exe Token: SeAuditPrivilege 4416 vssvc.exe Token: SeBackupPrivilege 4104 wbengine.exe Token: SeRestorePrivilege 4104 wbengine.exe Token: SeSecurityPrivilege 4104 wbengine.exe Token: SeIncreaseQuotaPrivilege 1968 WMIC.exe Token: SeSecurityPrivilege 1968 WMIC.exe Token: SeTakeOwnershipPrivilege 1968 WMIC.exe Token: SeLoadDriverPrivilege 1968 WMIC.exe Token: SeSystemProfilePrivilege 1968 WMIC.exe Token: SeSystemtimePrivilege 1968 WMIC.exe Token: SeProfSingleProcessPrivilege 1968 WMIC.exe Token: SeIncBasePriorityPrivilege 1968 WMIC.exe Token: SeCreatePagefilePrivilege 1968 WMIC.exe Token: SeBackupPrivilege 1968 WMIC.exe Token: SeRestorePrivilege 1968 WMIC.exe Token: SeShutdownPrivilege 1968 WMIC.exe Token: SeDebugPrivilege 1968 WMIC.exe Token: SeSystemEnvironmentPrivilege 1968 WMIC.exe Token: SeRemoteShutdownPrivilege 1968 WMIC.exe Token: SeUndockPrivilege 1968 WMIC.exe Token: SeManageVolumePrivilege 1968 WMIC.exe Token: 33 1968 WMIC.exe Token: 34 1968 WMIC.exe Token: 35 1968 WMIC.exe Token: 36 1968 WMIC.exe Token: SeIncreaseQuotaPrivilege 1968 WMIC.exe Token: SeSecurityPrivilege 1968 WMIC.exe Token: SeTakeOwnershipPrivilege 1968 WMIC.exe Token: SeLoadDriverPrivilege 1968 WMIC.exe Token: SeSystemProfilePrivilege 1968 WMIC.exe Token: SeSystemtimePrivilege 1968 WMIC.exe Token: SeProfSingleProcessPrivilege 1968 WMIC.exe Token: SeIncBasePriorityPrivilege 1968 WMIC.exe Token: SeCreatePagefilePrivilege 1968 WMIC.exe Token: SeBackupPrivilege 1968 WMIC.exe Token: SeRestorePrivilege 1968 WMIC.exe Token: SeShutdownPrivilege 1968 WMIC.exe Token: SeDebugPrivilege 1968 WMIC.exe Token: SeSystemEnvironmentPrivilege 1968 WMIC.exe Token: SeRemoteShutdownPrivilege 1968 WMIC.exe Token: SeUndockPrivilege 1968 WMIC.exe Token: SeManageVolumePrivilege 1968 WMIC.exe Token: 33 1968 WMIC.exe Token: 34 1968 WMIC.exe Token: 35 1968 WMIC.exe Token: 36 1968 WMIC.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 1252 wrote to memory of 1516 1252 2.exe 82 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 4892 wrote to memory of 3392 4892 svchost.exe 86 PID 1516 wrote to memory of 2528 1516 2.exe 87 PID 1516 wrote to memory of 2528 1516 2.exe 87 PID 2528 wrote to memory of 4524 2528 cmd.exe 90 PID 2528 wrote to memory of 4524 2528 cmd.exe 90 PID 2528 wrote to memory of 2068 2528 cmd.exe 96 PID 2528 wrote to memory of 2068 2528 cmd.exe 96 PID 2528 wrote to memory of 1968 2528 cmd.exe 100 PID 2528 wrote to memory of 1968 2528 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\2.exeﮅ2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe" n15163⤵
- Loads dropped DLL
PID:3392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 8044⤵
- Program crash
PID:4624
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4524
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2068
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 9002⤵
- Program crash
PID:4540
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1252 -ip 12521⤵PID:2288
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1848
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3392 -ip 33921⤵PID:3832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472.2MB
MD55f2c767203bd172e355f0195ef7f5ef0
SHA155018371445e3b365c6788abd0e1fe31240d6b32
SHA256e73353d489a0bb4fcf2973171228b9e63668a4282428ddd447f9aff9971e66b6
SHA512adfbe094162eaf5eb38ea6f15bea714c71fc1f919cfcfcf72899f77b129ded99c601a9d35a1dadb318419308a930ac34ea32238437fab9b38a20397f62d815d9
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88