Overview

overview

10

Static

static

1

SecuriteIn...09.exe

windows7-x64

10

SecuriteIn...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2022 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.FileRepMalware.13968.19609.exe

  • Size

    847KB

  • MD5

    586d6732d8c8d4045b05276f2a0cbf53

  • SHA1

    e58187c1708079e9487310f8c4b34722e4271f35

  • SHA256

    ad534790700a9daa5fda6452692590e5e8c86d6a86aec0110822d0b54a6c21d9

  • SHA512

    edfb4e63b497793678977aad364e5c85919981fe9a93d74d64b4339b3596fd44d8c8b943d0b3bfcc95689e9476ea86fdff0822fd7de77870ef6430176b97792b

  • SSDEEP

    24576:NmSo/l/4X2EM3GdNsFiKZqzYvqi/NmZrRV/tJ:NcaXNM2PBKZAsAZrRVVJ

Score
10/10
makopransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"
      2⤵
      • Modifies extensions of user files
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe" n1348
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe" n1348
          4⤵
            PID:892
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1176
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:1760
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1144
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1968
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1492

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\681096313
          Filesize

          645KB

          MD5

          470cc9935c68fd64655ccb51d5d0d731

          SHA1

          cba611dbd1f784c0bffa64720181327004b23653

          SHA256

          fcc3cf71d0be88e485e9c3e19adc64438b038562643aac3e52aa98e82280d8b6

          SHA512

          f363c352bc41d81fcbb1095b0e0c784fcf23053f70156d5495db065871d99df87ce1dac40a0d5740fdac5608f538c6647d1e8053ae3bd6152c618e18665e2ee6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\681096313
          Filesize

          645KB

          MD5

          4a999bd39cc217ed041f49e90d432c68

          SHA1

          aa0938f6e95ee2cac1f78f7873c44b8a1996ce20

          SHA256

          fddb8492d52b3f9648663504c720193aae307410fe95bb94e0c3c9830a028046

          SHA512

          d4add5ad28b92cf467262549ad1f49eac8c48c31e95cea476a2c7629b15df90d7bac8e8de8047007889bafd482e1aa3d8fce7748cd70a3a6f29ca43b77d1a114

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
          Filesize

          1KB

          MD5

          65a0c3ca4b1252e724a2ff56314fa7e8

          SHA1

          c59fbabbce2e3b43afbe5bcc1680dd1505518288

          SHA256

          731206b9ed7a0f2cadaeea4aa3bc95bb71d16efd114cfe877e6dd41ad9a94704

          SHA512

          1cef85d4521d8e4cc78e924cc930a1a5b97aa6fdbeb05be3e15f2012586fefe2b074ccf0ef3f31472a4948f7771b6235ac0fb72174c04e17811a035668522b9a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
          Filesize

          1KB

          MD5

          e2b37db383f97fbd165990be837ef2ad

          SHA1

          6192572e4a3ca510c3c37ea4794c537c9ace7e11

          SHA256

          9c5d69ee91e4e1f43b1e3b84eeb36c0b33e14e7e7181f332bf7b6e4171c4465e

          SHA512

          73804092fe20350738492993a8e38fd785c213213b25f8854200170a8637a5f5cfa95c3d2d2d905421d531bd75e01016e6428894dd6e117ac9af549ace186505

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
          Filesize

          1KB

          MD5

          922e70bcfdbce1a981ae13996f62941d

          SHA1

          f6a934fd31ea3ade31921c36fc10210cb5adfee6

          SHA256

          bf5bea75601ce7ed776337d4bd7fc751b3a04f424332476eb6aaf337f960d496

          SHA512

          7be89aa770d98d916ece9aa60fe7f4e1d12d09c2b28187f048184e358402e244391adc435fef119c34c17a00ec08b5963519d48c3cfdcbd3b45e951ece5a7f0b

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd12.tmp\System.dll
          Filesize

          11KB

          MD5

          fccff8cb7a1067e23fd2e2b63971a8e1

          SHA1

          30e2a9e137c1223a78a0f7b0bf96a1c361976d91

          SHA256

          6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

          SHA512

          f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nst1306.tmp\System.dll
          Filesize

          11KB

          MD5

          fccff8cb7a1067e23fd2e2b63971a8e1

          SHA1

          30e2a9e137c1223a78a0f7b0bf96a1c361976d91

          SHA256

          6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

          SHA512

          f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

          Download Submit

        • memory/892-72-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/892-71-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/948-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1348-73-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1348-58-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1348-77-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1760-67-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

          Filesize

          8KB

          Download