Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

HEUR-Troja...39.exe

windows7-x64

10

HEUR-Troja...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2022, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe

  • Size

    1.0MB

  • MD5

    c9b1338dfcaf42a0fa3595306afce4b3

  • SHA1

    c8e04e6df3535099c41c1fc6db737d4613a8b303

  • SHA256

    50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639

  • SHA512

    81955bfbdd0ff52a9413a9860737d80d94e8c7bb182cec1ecb9c59627875cf71a299674dcb1ec549b16e8826d7a4ec4e4b4ba022bf8d456a83dfe3b90843676c

  • SSDEEP

    24576:CIggbZfccl1V2qBVds4Dy2DEHFVBnCZsGUy0:7ggNfV1YqNfDL4HFVtiWV

Score
10/10
makopransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\511771926\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5116
    • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
      "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
      2⤵
        PID:1596
      • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
        "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
        2⤵
          PID:1016
        • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
          "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
          2⤵
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
            "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe" n4304
            3⤵
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4600
            • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
              "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
              4⤵
                PID:5048
              • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe
                "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe"
                4⤵
                  PID:1468
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4036
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  4⤵
                  • Interacts with shadow copies
                  PID:3064
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  4⤵
                  • Deletes backup catalog
                  PID:3280
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1964
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2800
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3388
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:4408
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:3076

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Taskun.gen-50b0c7858bc2bb2d1fa3d441bd2c4e3930b88b77c6cef11a51af5705727d6639.exe.log
              Filesize

              1KB

              MD5

              17573558c4e714f606f997e5157afaac

              SHA1

              13e16e9415ceef429aaf124139671ebeca09ed23

              SHA256

              c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

              SHA512

              f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              18KB

              MD5

              36acdd8613bfa092db54ac59fa18b411

              SHA1

              ad4e29ee385c1613b310b92b99e1a3d567fe1bd2

              SHA256

              d7ad4f1092cc07f08a53a8506ead752dccc98af1079bcbd2c704b7c06412619d

              SHA512

              6031fdf28f7a8c28e5ee500297da831e5cb84757e1590274067f810129193fca099fb9ca2ef664a463952d5f0262429ce99fdceedeee6c5d70eee30aee1d79a9

              Download Submit

            • memory/1468-175-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/4244-137-0x0000000005410000-0x0000000005466000-memory.dmp

              Filesize

              344KB

              Download

            • memory/4244-136-0x00000000052D0000-0x00000000052DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4244-135-0x0000000005370000-0x0000000005402000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4244-134-0x0000000005880000-0x0000000005E24000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4244-132-0x0000000000770000-0x0000000000882000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4244-133-0x0000000005230000-0x00000000052CC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/4304-153-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/4304-142-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/4304-144-0x0000000000400000-0x000000000041D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/4600-177-0x00000000710C0000-0x000000007110C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5116-162-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5116-167-0x0000000007310000-0x0000000007318000-memory.dmp

              Filesize

              32KB

              Download

            • memory/5116-160-0x0000000006280000-0x000000000629E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/5116-161-0x0000000007630000-0x0000000007CAA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/5116-152-0x00000000056B0000-0x0000000005716000-memory.dmp

              Filesize

              408KB

              Download

            • memory/5116-163-0x0000000007050000-0x000000000705A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/5116-164-0x0000000007260000-0x00000000072F6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/5116-165-0x0000000007210000-0x000000000721E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/5116-166-0x0000000007320000-0x000000000733A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5116-159-0x0000000070FB0000-0x0000000070FFC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/5116-158-0x0000000006EC0000-0x0000000006EF2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/5116-145-0x00000000023D0000-0x0000000002406000-memory.dmp

              Filesize

              216KB

              Download

            • memory/5116-148-0x0000000005010000-0x0000000005638000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/5116-155-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/5116-150-0x0000000004D00000-0x0000000004D22000-memory.dmp

              Filesize

              136KB

              Download

            • memory/5116-151-0x0000000004FA0000-0x0000000005006000-memory.dmp

              Filesize

              408KB

              Download