makop | ad534790700a9daa5fda6452692590e5e8c86d6a86aec0110822d0b54a6c21d9

General

Target

SecuriteInfo.com.FileRepMalware.13968.19609.exe
Size

847KB
MD5

586d6732d8c8d4045b05276f2a0cbf53
SHA1

e58187c1708079e9487310f8c4b34722e4271f35
SHA256

ad534790700a9daa5fda6452692590e5e8c86d6a86aec0110822d0b54a6c21d9
SHA512

edfb4e63b497793678977aad364e5c85919981fe9a93d74d64b4339b3596fd44d8c8b943d0b3bfcc95689e9476ea86fdff0822fd7de77870ef6430176b97792b
SSDEEP

24576:NmSo/l/4X2EM3GdNsFiKZqzYvqi/NmZrRV/tJ:NcaXNM2PBKZAsAZrRVVJ

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: gamigin0612@tutanota.com or mammon0503@protonmail.com or pecunia0318@goat.si .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

gamigin0612@tutanota.com

mammon0503@protonmail.com

pecunia0318@goat.si

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1760 wbadmin.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\SyncPush.tiff SecuriteInfo.com.FileRepMalware.13968.19609.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.exe

pid process

948 SecuriteInfo.com.FileRepMalware.13968.19609.exe
768 SecuriteInfo.com.FileRepMalware.13968.19609.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1760	wbadmin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SyncPush.tiff	SecuriteInfo.com.FileRepMalware.13968.19609.exe

pid	process
948	SecuriteInfo.com.FileRepMalware.13968.19609.exe
768	SecuriteInfo.com.FileRepMalware.13968.19609.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.exe

description	pid	process	target process
PID 948 set thread context of 1348	948	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 768 set thread context of 892	768	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe

Drops file in Program Files directory 64 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\PREVIEW.GIF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\readme-warning.txt	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\currency.js	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01218_.WMF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Urban.thmx	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBCALSO.POC	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Denver	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\DEFAULT.XSL	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme-warning.txt	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\readme-warning.txt	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.HXS	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML	SecuriteInfo.com.FileRepMalware.13968.19609.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	SecuriteInfo.com.FileRepMalware.13968.19609.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1176 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exe

pid process

1348 SecuriteInfo.com.FileRepMalware.13968.19609.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.exe

pid process

948 SecuriteInfo.com.FileRepMalware.13968.19609.exe
768 SecuriteInfo.com.FileRepMalware.13968.19609.exe

pid	process
1176	vssadmin.exe

pid	process
1348	SecuriteInfo.com.FileRepMalware.13968.19609.exe

pid	process
948	SecuriteInfo.com.FileRepMalware.13968.19609.exe
768	SecuriteInfo.com.FileRepMalware.13968.19609.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	868	vssvc.exe
Token: SeRestorePrivilege	868	vssvc.exe
Token: SeAuditPrivilege	868	vssvc.exe
Token: SeBackupPrivilege	976	wbengine.exe
Token: SeRestorePrivilege	976	wbengine.exe
Token: SeSecurityPrivilege	976	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1144	WMIC.exe
Token: SeSecurityPrivilege	1144	WMIC.exe
Token: SeTakeOwnershipPrivilege	1144	WMIC.exe
Token: SeLoadDriverPrivilege	1144	WMIC.exe
Token: SeSystemProfilePrivilege	1144	WMIC.exe
Token: SeSystemtimePrivilege	1144	WMIC.exe
Token: SeProfSingleProcessPrivilege	1144	WMIC.exe
Token: SeIncBasePriorityPrivilege	1144	WMIC.exe
Token: SeCreatePagefilePrivilege	1144	WMIC.exe
Token: SeBackupPrivilege	1144	WMIC.exe
Token: SeRestorePrivilege	1144	WMIC.exe
Token: SeShutdownPrivilege	1144	WMIC.exe
Token: SeDebugPrivilege	1144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1144	WMIC.exe
Token: SeRemoteShutdownPrivilege	1144	WMIC.exe
Token: SeUndockPrivilege	1144	WMIC.exe
Token: SeManageVolumePrivilege	1144	WMIC.exe
Token: 33	1144	WMIC.exe
Token: 34	1144	WMIC.exe
Token: 35	1144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1144	WMIC.exe
Token: SeSecurityPrivilege	1144	WMIC.exe
Token: SeTakeOwnershipPrivilege	1144	WMIC.exe
Token: SeLoadDriverPrivilege	1144	WMIC.exe
Token: SeSystemProfilePrivilege	1144	WMIC.exe
Token: SeSystemtimePrivilege	1144	WMIC.exe
Token: SeProfSingleProcessPrivilege	1144	WMIC.exe
Token: SeIncBasePriorityPrivilege	1144	WMIC.exe
Token: SeCreatePagefilePrivilege	1144	WMIC.exe
Token: SeBackupPrivilege	1144	WMIC.exe
Token: SeRestorePrivilege	1144	WMIC.exe
Token: SeShutdownPrivilege	1144	WMIC.exe
Token: SeDebugPrivilege	1144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1144	WMIC.exe
Token: SeRemoteShutdownPrivilege	1144	WMIC.exe
Token: SeUndockPrivilege	1144	WMIC.exe
Token: SeManageVolumePrivilege	1144	WMIC.exe
Token: 33	1144	WMIC.exe
Token: 34	1144	WMIC.exe
Token: 35	1144	WMIC.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.13968.19609.exeSecuriteInfo.com.FileRepMalware.13968.19609.execmd.exeSecuriteInfo.com.FileRepMalware.13968.19609.exe

description	pid	process	target process
PID 948 wrote to memory of 1348	948	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 948 wrote to memory of 1348	948	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 948 wrote to memory of 1348	948	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 948 wrote to memory of 1348	948	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 948 wrote to memory of 1348	948	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 1348 wrote to memory of 1344	1348	SecuriteInfo.com.FileRepMalware.13968.19609.exe	cmd.exe
PID 1348 wrote to memory of 1344	1348	SecuriteInfo.com.FileRepMalware.13968.19609.exe	cmd.exe
PID 1348 wrote to memory of 1344	1348	SecuriteInfo.com.FileRepMalware.13968.19609.exe	cmd.exe
PID 1348 wrote to memory of 1344	1348	SecuriteInfo.com.FileRepMalware.13968.19609.exe	cmd.exe
PID 1344 wrote to memory of 1176	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1176	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1176	1344	cmd.exe	vssadmin.exe
PID 1344 wrote to memory of 1760	1344	cmd.exe	wbadmin.exe
PID 1344 wrote to memory of 1760	1344	cmd.exe	wbadmin.exe
PID 1344 wrote to memory of 1760	1344	cmd.exe	wbadmin.exe
PID 1344 wrote to memory of 1144	1344	cmd.exe	WMIC.exe
PID 1344 wrote to memory of 1144	1344	cmd.exe	WMIC.exe
PID 1344 wrote to memory of 1144	1344	cmd.exe	WMIC.exe
PID 768 wrote to memory of 892	768	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 768 wrote to memory of 892	768	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 768 wrote to memory of 892	768	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 768 wrote to memory of 892	768	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe
PID 768 wrote to memory of 892	768	SecuriteInfo.com.FileRepMalware.13968.19609.exe	SecuriteInfo.com.FileRepMalware.13968.19609.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe"
2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe" n1348
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.13968.19609.exe" n1348
4⤵
PID:892

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1176

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1760

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\681096313
Filesize
645KB

MD5
470cc9935c68fd64655ccb51d5d0d731

SHA1
cba611dbd1f784c0bffa64720181327004b23653

SHA256
fcc3cf71d0be88e485e9c3e19adc64438b038562643aac3e52aa98e82280d8b6

SHA512
f363c352bc41d81fcbb1095b0e0c784fcf23053f70156d5495db065871d99df87ce1dac40a0d5740fdac5608f538c6647d1e8053ae3bd6152c618e18665e2ee6

Download Submit
C:\Users\Admin\AppData\Roaming\681096313
Filesize
645KB

MD5
4a999bd39cc217ed041f49e90d432c68

SHA1
aa0938f6e95ee2cac1f78f7873c44b8a1996ce20

SHA256
fddb8492d52b3f9648663504c720193aae307410fe95bb94e0c3c9830a028046

SHA512
d4add5ad28b92cf467262549ad1f49eac8c48c31e95cea476a2c7629b15df90d7bac8e8de8047007889bafd482e1aa3d8fce7748cd70a3a6f29ca43b77d1a114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
Filesize
1KB

MD5
65a0c3ca4b1252e724a2ff56314fa7e8

SHA1
c59fbabbce2e3b43afbe5bcc1680dd1505518288

SHA256
731206b9ed7a0f2cadaeea4aa3bc95bb71d16efd114cfe877e6dd41ad9a94704

SHA512
1cef85d4521d8e4cc78e924cc930a1a5b97aa6fdbeb05be3e15f2012586fefe2b074ccf0ef3f31472a4948f7771b6235ac0fb72174c04e17811a035668522b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
Filesize
1KB

MD5
e2b37db383f97fbd165990be837ef2ad

SHA1
6192572e4a3ca510c3c37ea4794c537c9ace7e11

SHA256
9c5d69ee91e4e1f43b1e3b84eeb36c0b33e14e7e7181f332bf7b6e4171c4465e

SHA512
73804092fe20350738492993a8e38fd785c213213b25f8854200170a8637a5f5cfa95c3d2d2d905421d531bd75e01016e6428894dd6e117ac9af549ace186505

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
Filesize
1KB

MD5
922e70bcfdbce1a981ae13996f62941d

SHA1
f6a934fd31ea3ade31921c36fc10210cb5adfee6

SHA256
bf5bea75601ce7ed776337d4bd7fc751b3a04f424332476eb6aaf337f960d496

SHA512
7be89aa770d98d916ece9aa60fe7f4e1d12d09c2b28187f048184e358402e244391adc435fef119c34c17a00ec08b5963519d48c3cfdcbd3b45e951ece5a7f0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1306.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/892-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/892-69-0x0000000000405680-mapping.dmp

Download
memory/892-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/948-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1144-68-0x0000000000000000-mapping.dmp

Download
memory/1176-64-0x0000000000000000-mapping.dmp

Download
memory/1344-59-0x0000000000000000-mapping.dmp

Download
memory/1348-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1348-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1348-56-0x0000000000405680-mapping.dmp

Download
memory/1348-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1760-66-0x0000000000000000-mapping.dmp

Download
memory/1760-67-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads