Analysis
-
max time kernel
86s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
20-03-2023 03:15
General
-
Target
asdf.exe
-
Size
259KB
-
MD5
9a0a28352da8fb0dcdc8320450a7ebf8
-
SHA1
36a7c488e2d0d6633feab2ffb33dd714ae4e5612
-
SHA256
2044f2f407beaed23a1bd832e34a48266e936090fe2b064f65d8b5c34b208dce
-
SHA512
a75a78bf88281129953032f760d6813b3f261d21893f9c35224a5a4fa32708439a832cf49f70c3a8661aa817e3281dd4f5a60c3b242b7800972474d716285eaf
-
SSDEEP
3072:IomnzVincQDKgc/7SSCbwFtOLy/ycpZxCB0LYnbfaR00n:ItZHSd4t/aGiMYu
Malware Config
Extracted
C:\Program Files\7-Zip\readme-warning.txt
makop
mammon0503@tutanota.com
mammon0503@protonmail.com
samsung00700@tutanota.com
pecunia0318@goat.si
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe"2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe" n11563⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\asdf.exe"C:\Users\Admin\AppData\Local\Temp\asdf.exe" n11564⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\readme-warning.txtFilesize
1KB
MD50f44a19896202f3a9f8dd0747e54c5eb
SHA103f490800892428e0791deeccbe5fa56b0b97226
SHA256994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef
SHA512f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6
-
C:\Users\Admin\AppData\Local\Temp\nsc81F7.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Local\Temp\nsy90AD.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Local\Temp\nsy90AD.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Roaming\843795456Filesize
57KB
MD58a9d30b739f21522b79d9c7fb582e56d
SHA1db2593c6aeda57946dd2540a3af807fd63957fce
SHA256056bbd47c7b226a83bcf053e3b05e72026828f2f996be88c236e803830b92157
SHA512f3a301aef0e49b2ef65bef5936483dcbda33b81f8a2dfcf46ab44d9b8f21a409f5b5d05973752376374ba51f018addfd6dc3a1347511f9814f35ee2f64616e66
-
C:\Users\Admin\AppData\Roaming\843795456Filesize
57KB
MD599792628d18aa0e41870a6e5d685bfb2
SHA136765c46d3a7cee7ef5034aaf7692a9e8f893be3
SHA25654fb8a7da6530096d63df4d55123de5813eae41f5185be74a5ec829aa49ec417
SHA512b723c307c0220783aac3a59c0cb1bf687701256b35990ecc758a7d7b91c05f5e02c7150d289ae715a756dc7181cc71a48960176347e2777d14eafe180f154183
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD5ca35ee8667aa4fcee684e8994716e35a
SHA199b97a8e7b74b8d3aed2e983b97c117f28c3efdf
SHA2563eb2b4e12219d2e117d18fac8c6185d1c978f75d3f38b3593fccf4360d7b6a59
SHA51271aa26c84450c2afe9f753d34f6297bc86490734515ae7074f26be34e7edfff517c809794f68130fa792782ef188bfe99fc7de5caf9a85729bea1570ed5a8d22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnkFilesize
1KB
MD549a3f542561d13c94f79de49e708e8e6
SHA1cac978cfd97e117d26c49ea8f7bf3c927d1e1625
SHA2565a7a222312aeb17d1735e2a57bb96c9b3be07e6d21b9d7f864a107e96d4220df
SHA5128785d485aeb9b41a0accd9621a10c62559515d8be0f7c24760eb355b27daeb7796d2dd92b356563dedbf69bb8d49060950c7c26255036c2ed3e917da28b88c75
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnkFilesize
1KB
MD5b76bb554128b1b4a2d414e1a97df5baa
SHA1d92e788db63fc811d90fd0495b4dd686520c452c
SHA25680fef590814547c025297f43141602b96a4c79737ede6719698cf88dca7d30a6
SHA5126f84db9e2e0eb109b93a580321f7ce9ce4d9ea4d25f599359d70e0e8eeb7b287b100dad811254d5c783d788f1dda3337bb1ed060201e58b2722410a6df51a2c9
-
memory/1156-155-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-17175-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-211-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-143-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-141-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1156-20396-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3824-1133-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3824-1156-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3824-9279-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB