makop | a6566bc4c76a36a0e880d2151e0a86a59c3af57082b7c83a669dba3f28afb959

General

Target

SecuriteInfo.com.FileRepMalware.4018.10238.exe
Size

853KB
MD5

d26afd54021ba871403b3c6ba520e4ae
SHA1

a7f2167bb9748122f72e751b98c80c317f1e6af9
SHA256

a6566bc4c76a36a0e880d2151e0a86a59c3af57082b7c83a669dba3f28afb959
SHA512

4459ee49492a151c00771a8b3ec4fc8aae919c860c3679fda4d8c63ca973055290ed5d9e928a2080049cf27f63190c9a3ce68b20d984291837327f2684e7b206
SSDEEP

24576:7Syo/l/4X2EM3GdNsFiKZqzYvqi/NmZrRV/tJ:caXNM2PBKZAsAZrRVVJ

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: gamigin0612@tutanota.com or mammon0503@protonmail.com or pecunia0318@goat.si .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

gamigin0612@tutanota.com

mammon0503@protonmail.com

pecunia0318@goat.si

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3692 created 3952 3692 svchost.exe SecuriteInfo.com.FileRepMalware.4018.10238.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4548 wbadmin.exe

description	pid	process	target process
PID 3692 created 3952	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe

pid	process
4548	wbadmin.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResumeRead.tiff	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchConvertTo.tiff	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Users\Admin\Pictures\UndoSelect.tiff	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exeSecuriteInfo.com.FileRepMalware.4018.10238.exe

pid process

636 SecuriteInfo.com.FileRepMalware.4018.10238.exe
2036 SecuriteInfo.com.FileRepMalware.4018.10238.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
636	SecuriteInfo.com.FileRepMalware.4018.10238.exe
2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exeSecuriteInfo.com.FileRepMalware.4018.10238.exe

description	pid	process	target process
PID 636 set thread context of 3952	636	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 2036 set thread context of 4544	2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Drops file in Program Files directory 64 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\dash.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16_altform-unplated.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.mail.config	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-200.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main-selector.css	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\Resources\SimpleProgressBarTheme.xbf	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-256.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseEar.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-150.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-125.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-20.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-200_contrast-white.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-125.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover_2x.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\ui-strings.js	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.schema.mfl	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\NOTICE	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-100.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Safety_Objects.jpg	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_8_Loud.m4a	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-150.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\ui-strings.js	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-150.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.bat	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\readme-warning.txt	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\CT_ROOTS.XML	SecuriteInfo.com.FileRepMalware.4018.10238.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4156 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exe

pid process

3952 SecuriteInfo.com.FileRepMalware.4018.10238.exe
3952 SecuriteInfo.com.FileRepMalware.4018.10238.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exeSecuriteInfo.com.FileRepMalware.4018.10238.exe

pid process

636 SecuriteInfo.com.FileRepMalware.4018.10238.exe
2036 SecuriteInfo.com.FileRepMalware.4018.10238.exe

pid	process
4156	vssadmin.exe

pid	process
3952	SecuriteInfo.com.FileRepMalware.4018.10238.exe
3952	SecuriteInfo.com.FileRepMalware.4018.10238.exe

pid	process
636	SecuriteInfo.com.FileRepMalware.4018.10238.exe
2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

svchost.exevssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeTcbPrivilege	3692	svchost.exe
Token: SeTcbPrivilege	3692	svchost.exe
Token: SeBackupPrivilege	3524	vssvc.exe
Token: SeRestorePrivilege	3524	vssvc.exe
Token: SeAuditPrivilege	3524	vssvc.exe
Token: SeBackupPrivilege	4584	wbengine.exe
Token: SeRestorePrivilege	4584	wbengine.exe
Token: SeSecurityPrivilege	4584	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: 36	2516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2516	WMIC.exe
Token: SeSecurityPrivilege	2516	WMIC.exe
Token: SeTakeOwnershipPrivilege	2516	WMIC.exe
Token: SeLoadDriverPrivilege	2516	WMIC.exe
Token: SeSystemProfilePrivilege	2516	WMIC.exe
Token: SeSystemtimePrivilege	2516	WMIC.exe
Token: SeProfSingleProcessPrivilege	2516	WMIC.exe
Token: SeIncBasePriorityPrivilege	2516	WMIC.exe
Token: SeCreatePagefilePrivilege	2516	WMIC.exe
Token: SeBackupPrivilege	2516	WMIC.exe
Token: SeRestorePrivilege	2516	WMIC.exe
Token: SeShutdownPrivilege	2516	WMIC.exe
Token: SeDebugPrivilege	2516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2516	WMIC.exe
Token: SeRemoteShutdownPrivilege	2516	WMIC.exe
Token: SeUndockPrivilege	2516	WMIC.exe
Token: SeManageVolumePrivilege	2516	WMIC.exe
Token: 33	2516	WMIC.exe
Token: 34	2516	WMIC.exe
Token: 35	2516	WMIC.exe
Token: 36	2516	WMIC.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.4018.10238.exesvchost.exeSecuriteInfo.com.FileRepMalware.4018.10238.execmd.exeSecuriteInfo.com.FileRepMalware.4018.10238.exe

description	pid	process	target process
PID 636 wrote to memory of 3952	636	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 636 wrote to memory of 3952	636	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 636 wrote to memory of 3952	636	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 636 wrote to memory of 3952	636	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3692 wrote to memory of 2036	3692	svchost.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 3952 wrote to memory of 4772	3952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	cmd.exe
PID 3952 wrote to memory of 4772	3952	SecuriteInfo.com.FileRepMalware.4018.10238.exe	cmd.exe
PID 4772 wrote to memory of 4156	4772	cmd.exe	vssadmin.exe
PID 4772 wrote to memory of 4156	4772	cmd.exe	vssadmin.exe
PID 4772 wrote to memory of 4548	4772	cmd.exe	wbadmin.exe
PID 4772 wrote to memory of 4548	4772	cmd.exe	wbadmin.exe
PID 4772 wrote to memory of 2516	4772	cmd.exe	WMIC.exe
PID 4772 wrote to memory of 2516	4772	cmd.exe	WMIC.exe
PID 2036 wrote to memory of 4544	2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 2036 wrote to memory of 4544	2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 2036 wrote to memory of 4544	2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe
PID 2036 wrote to memory of 4544	2036	SecuriteInfo.com.FileRepMalware.4018.10238.exe	SecuriteInfo.com.FileRepMalware.4018.10238.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe"
2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe" n3952
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.4018.10238.exe" n3952
4⤵
PID:4544

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4156

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:4548

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp6E9E.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy83FB.tmp\System.dll
Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Roaming\681096313
Filesize
645KB

MD5
470cc9935c68fd64655ccb51d5d0d731

SHA1
cba611dbd1f784c0bffa64720181327004b23653

SHA256
fcc3cf71d0be88e485e9c3e19adc64438b038562643aac3e52aa98e82280d8b6

SHA512
f363c352bc41d81fcbb1095b0e0c784fcf23053f70156d5495db065871d99df87ce1dac40a0d5740fdac5608f538c6647d1e8053ae3bd6152c618e18665e2ee6

Download Submit
C:\Users\Admin\AppData\Roaming\681096313
Filesize
645KB

MD5
2194722b2c1aceec61229b99ce305100

SHA1
f360997197d174292dc87fa816e85c1d6428f908

SHA256
c49657252e89059f79af75ed6084d0805552ccbd11ab466ef0ab42cebf803b0b

SHA512
f8358d734504b5980446069cbcebd6f00e0e22ed21baa0d042b616808b93fa413f2ad754dff46b4ee41419fe6009c501a2caec049692ba129a401d41d0def0df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
Filesize
1KB

MD5
0db4568712752aed52c2fe3f3bda0cf1

SHA1
f6a49d63b9c219537a894462988d969e39766125

SHA256
7be18dbfc0b02a8dc95b202948bdb9334a82a970ae79bfb2dd04f79bd0024933

SHA512
bf6b3bd6336692265467f18269f5bde74ffeaefc1cda6a27bd0f998d9f8d2253ef7d7c478629e40ce589e087cf084c02c534d0fc3b59219c8008ba2c61102ac3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
Filesize
1KB

MD5
bf367d09366b9be75afbe52ed5c31226

SHA1
3c071c50c4461fd80372852dd2b057d3e396a5ce

SHA256
d72b5df0b5c364973ff92b12810aec4a02d187b585f2ddce532460347996b685

SHA512
f9d5468e97ffe3d061d57ea76b02cdf928e6826a4220fcdf951af93dd9061bafa885530e7ef68d99aa9c4574beddfe086157c0c083ab0f3342e0f8461c8c3c17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
Filesize
1KB

MD5
4089ce80079eab9cf4749ffab3dd80ed

SHA1
48c1bf103ec031c471f6f72361dbddb206795402

SHA256
bca2403fb63449e3c079f8a1cf411e5efba56d8b3e853e0e0c69e593bbbdf6cf

SHA512
cc5e2b876663938adc3b49bd348b333c772abb96d36c5d245e1351d8d9a26a52c0ff97e8f6ff0fb71e0a349388767c63c0a96c3bcfe3e0ace026620e6205f2ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
Filesize
1KB

MD5
4ac6f1673da83c45401e1dd876a14f86

SHA1
396ba9161ce08eb38a0425ce25a1556eaf7608d9

SHA256
5c9f85c14ac81f6ce220494ce3ecd943d05b794f233434626fa99a45c516c8f1

SHA512
6e5a933d3a449cb348e3adac6e2a2aa3c22e47d04d5ab725c1003648e8ddcb7465ded99325acd63f52fa453874b115f6f000809b699910fc31e3b045451e9208

Download Submit
memory/2036-134-0x0000000000000000-mapping.dmp

Download
memory/2516-143-0x0000000000000000-mapping.dmp

Download
memory/3952-151-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3952-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3952-133-0x0000000000000000-mapping.dmp

Download
memory/3952-146-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4156-140-0x0000000000000000-mapping.dmp

Download
memory/4544-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4544-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4544-144-0x0000000000000000-mapping.dmp

Download
memory/4548-142-0x0000000000000000-mapping.dmp

Download
memory/4772-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads