Extracted

• • Target

    996a8019a8deb5f1636e0236d07ba4b17d1cd50aff3ede5dd2be736d66d6160c

  • Size

    82KB

  • MD5

    d0fab02106121f74a3b1a436ef2795b0

  • SHA1

    19ccb8075c36ed4eafa3d2d59654918d4e510140

  • SHA256

    996a8019a8deb5f1636e0236d07ba4b17d1cd50aff3ede5dd2be736d66d6160c

  • SHA512

    710118197ff280d5ddfbb02dc29d013ad8014efbe4a474d405df6655f3cdd7ca4b65ee56d9f2042efb78b9f8d7e92696bc7d55b79f9d3b547e48baff121a470c

  • SSDEEP

    1536:JxqjQ+P04wsmJCA155S1FKnDtkuImiwiDY4sXn:sr85CAb5S1FqtkuImAYvn

  Score

  10^/10

  makopneshtapersistenceransomwarespywarestealer

  • MAKOP ransomware payload

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop

  • Modifies system executable filetype association

    persistence

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Deletes backup catalog

    Uses wbadmin.exe to inhibit system recovery.

    ransomware

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops file in System32 directory

  behavioral1behavioral2