Analysis
-
max time kernel
80s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
20-03-2023 03:15
General
-
Target
asdf.exe
-
Size
259KB
-
MD5
9a0a28352da8fb0dcdc8320450a7ebf8
-
SHA1
36a7c488e2d0d6633feab2ffb33dd714ae4e5612
-
SHA256
2044f2f407beaed23a1bd832e34a48266e936090fe2b064f65d8b5c34b208dce
-
SHA512
a75a78bf88281129953032f760d6813b3f261d21893f9c35224a5a4fa32708439a832cf49f70c3a8661aa817e3281dd4f5a60c3b242b7800972474d716285eaf
-
SSDEEP
3072:IomnzVincQDKgc/7SSCbwFtOLy/ycpZxCB0LYnbfaR00n:ItZHSd4t/aGiMYu
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\readme-warning.txt
makop
mammon0503@tutanota.com
mammon0503@protonmail.com
samsung00700@tutanota.com
pecunia0318@goat.si
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe" n6363⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe" n6364⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\readme-warning.txtFilesize
1KB
MD50f44a19896202f3a9f8dd0747e54c5eb
SHA103f490800892428e0791deeccbe5fa56b0b97226
SHA256994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef
SHA512f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6
-
C:\Users\Admin\AppData\Local\Temp\nso1335.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Roaming\843795456Filesize
57KB
MD5a253286a67949f1eceeb8f7053b98282
SHA1ac0d50d2f81d6814e16fe27a45fe9fe30b3cca63
SHA2562617af783185d30fbd3b1cf756502619ae8f7fd439bfc6d1c76e8bcc016a0383
SHA512a4a3ee38c892918e970df727c9f6da105fec988cada88d601cd3e02c1b2a1b8815bf1512d941fc30d0b65f22d9454993ee2b3d13f68f0ef63c8cbfe9f6c48aa3
-
C:\Users\Admin\AppData\Roaming\843795456Filesize
57KB
MD58a9d30b739f21522b79d9c7fb582e56d
SHA1db2593c6aeda57946dd2540a3af807fd63957fce
SHA256056bbd47c7b226a83bcf053e3b05e72026828f2f996be88c236e803830b92157
SHA512f3a301aef0e49b2ef65bef5936483dcbda33b81f8a2dfcf46ab44d9b8f21a409f5b5d05973752376374ba51f018addfd6dc3a1347511f9814f35ee2f64616e66
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD5468e53b5b1ed65db3632a6e4e8c65337
SHA1ec2cd5047ff47107ec3bb4b1e545af7499751fb5
SHA256d2efea5232794afede341da9a3d6283222666cb77b6674418c25d539620f05d9
SHA5127e4b6d707c609d7806360061e0f648060b2d88d4735432490197681a46310cf37dcb80f388182d5b11aca3eea26ec6dfb3cda98494cf4696687068056482e39b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD509df0d7f54b2a583f4919e58c2eba1e2
SHA1721c53c46960d11fed2f2703be3c761936b1c17e
SHA256bfed92e062da156b62670dc7baf6a1e8b2e835c327ea273d6570dd2060e104ca
SHA5124132ef6d8d629ace52e95595b3b69231e457d9c6ab34e54f9f9758dbda524358ecf8209fd4eb028fd3a26af49296a197ab9f6432d36a26539a59c44932f93e55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkFilesize
1KB
MD560807301f5f86c6fe8ecfbf0c91350c8
SHA19561b377dfb152b55d63338f36ca076e5e34735f
SHA256f5d6ce27ce6f649e2401256fa2f482b7cfedfccd83c30d974a11af14bc64a8df
SHA512fb8d2c7060a9ab2a1e212117a6e17828a20ce0fd734841614c0920fdffe66e8089f3ba6d10f886cd784ca8b05198337d82ec80723f06b9613cef2634ee35c339
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkFilesize
1KB
MD569457589ca3b717377adc8f62547fe99
SHA18b8ebfa1294946a52c6370796d1c152432e2db50
SHA256e337d5d78a0ec43ec7203bc24e1050fc7a55755701ebc4847b4cc0adecafb877
SHA5125df07b610269de1a90a3cd28094477d7a2fb93e607ebd3a5a22b1ead04b03dff00f8dea9d5ae3c17b87906d0d4bb441c1904b042102079ca96628f14f8992525
-
\Users\Admin\AppData\Local\Temp\nsd456.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
\Users\Admin\AppData\Local\Temp\nso1335.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/636-78-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/636-145-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/636-520-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/636-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/636-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/636-17474-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/636-17475-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1320-149-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1320-391-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1320-518-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB