Overview

overview

10

Static

static

1

b7e5749284...in.exe

windows7-x64

10

b7e5749284...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2023 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe

  • Size

    710KB

  • MD5

    7a668b5ec9a34afa512e471a20b8f932

  • SHA1

    e53653edc907842c577b3c6dda208a60b409ced8

  • SHA256

    b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29

  • SHA512

    f98ab8477997c01c17031d1312293626032e600f8af8081b0aee07176b15fe91ae305e4c4e48ed30491ae0e3a374347c5bfcf804c3315b1e8b18efadf3107789

  • SSDEEP

    3072:ybG7N2kDTHUpouu2IbN0PFBleIW8fB6NYTL:ybE/HUG2KN0h7xsN4L

Score
10/10
makopransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "noctua" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: noctua0302@goat.si or pecunia0318@tutanota.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

noctua0302@goat.si

pecunia0318@tutanota.com

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe" n1048
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\Users\Admin\AppData\Local\Temp\b7e574928412c8142c2a1d9b1c35fcc9e698dd79291ba808d41407d8d06cbe29.bin.exe
          4⤵
            PID:1864
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 396
            4⤵
            • Program crash
            PID:1788
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:468
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1288
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:1140
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 476
        2⤵
        • Program crash
        PID:432
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:904
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:908
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1860

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Privilege Escalation

        Defense Evasion

        File Deletion

        3
        T1107

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt
          Filesize

          1KB

          MD5

          c254df13320f69aefb6a254fdb7bef85

          SHA1

          ae3164c12530922d64e814b7f852e5448ad69642

          SHA256

          b7252a98bcf4060b737b2fb5781f61b8250a348b3d774dbb4612abadcd30d166

          SHA512

          8f6a910b0d4a47422fd82043ff9792b8641aa4c935923b435078ab0113a806ccb156d12d2d00a5930c920d3cfb3c6e611d56de0b08921d38e63dd8dfbaa8f4dd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\134245471
          Filesize

          541.9MB

          MD5

          1584ff6c9703213586868766a8e563a5

          SHA1

          930e44a940b56802d9669465baa12516825ff872

          SHA256

          c276b035281ccfa5281ece0d8a30ab74f873d77d4ff0128f61fae5571184cd06

          SHA512

          6e440bf73b2e36a6623f65624fd7211c866484faad68fe706d8479d376709b7a41e52d971a797e1e73982710b1fcc08a6b9e076cec59ae0e5e00f2a4a4bec761

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\134245471
          Filesize

          541.9MB

          MD5

          1fd5a7b69fcf492d882d940d34c760e8

          SHA1

          d8d8cbabffd25d1a2c51c4686ec9dea1fbd98c76

          SHA256

          45d17760b6accda46218c7c7fa4423d11d20b2c3ae01db4488948f594cfb2e57

          SHA512

          868d5bf064e44d4dd728b2cb7008e8ee7e3ee6de70813f32e4f4ad720ed4f26c68456d2c930538e29f8af3c884c93441e63a4e1995df454141dcf45ce0375f41

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nsjE3CC.tmp\System.dll
          Filesize

          12KB

          MD5

          cff85c549d536f651d4fb8387f1976f2

          SHA1

          d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

          SHA256

          8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

          SHA512

          531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsjE3CC.tmp\System.dll
          Filesize

          12KB

          MD5

          cff85c549d536f651d4fb8387f1976f2

          SHA1

          d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

          SHA256

          8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

          SHA512

          531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst6154.tmp\System.dll
          Filesize

          12KB

          MD5

          cff85c549d536f651d4fb8387f1976f2

          SHA1

          d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

          SHA256

          8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

          SHA512

          531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

          Download Submit
        • memory/1048-67-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1048-64-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1048-63-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1048-103-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1048-61-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1048-526-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1864-79-0x0000000000400000-0x000000000041E000-memory.dmp
          Filesize

          120KB

          Download