Overview

overview

10

Static

static

10

082a2ce2dd...49.exe

windows7-x64

10

082a2ce2dd...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    05/07/2023, 13:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    082a2ce2dde8b3a50f2d49949.exe

  • Size

    34KB

  • MD5

    578961ae2ca365d4c4043aacb332b2ab

  • SHA1

    1f4a4edc5042b52e044cf3113ac41fd010bc45ef

  • SHA256

    082a2ce2dde8b3a50f2d499496879e85562ee949cb151c8052eaaa713cddd0f8

  • SHA512

    5ce6c2838f34e77dec1814501d4e85a85e5c16ee21ac80af84f4d346ee1ea2044784a6f2fed5a95298721befd74620a8285f2c1de1f42e800513032f18f0df33

  • SSDEEP

    768:W4HLd8VdhfqV1Esg8kdJCzSIZHkKRV6kNDGt6m474va8I:WQ8ViV1U8ZGURVFGi9

Score
10/10
makopransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: mondezir@mailfence.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

mondezir@mailfence.com

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8228) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\082a2ce2dde8b3a50f2d49949.exe
    "C:\Users\Admin\AppData\Local\Temp\082a2ce2dde8b3a50f2d49949.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\082a2ce2dde8b3a50f2d49949.exe
      "C:\Users\Admin\AppData\Local\Temp\082a2ce2dde8b3a50f2d49949.exe" n1556
      2⤵
        PID:1220
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:240
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2020
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:940
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:428
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:664
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1972
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1388

        Network

        • flag-us
          DNS
          iplogger.org
          082a2ce2dde8b3a50f2d49949.exe
          Remote address:
          8.8.8.8:53
          Request
          iplogger.org
          IN A
          Response
          iplogger.org
          IN A
          148.251.234.83
        • 148.251.234.83:443
          iplogger.org
          tls
          082a2ce2dde8b3a50f2d49949.exe
          393 B
           219 B
           5
          5
        • 148.251.234.83:443
          iplogger.org
          tls
          082a2ce2dde8b3a50f2d49949.exe
          355 B
           219 B
           5
          5
        • 148.251.234.83:443
          iplogger.org
          tls
          082a2ce2dde8b3a50f2d49949.exe
          288 B
           219 B
           5
          5
        • 148.251.234.83:443
          iplogger.org
          082a2ce2dde8b3a50f2d49949.exe
          190 B
           92 B
           4
          2
        • 8.8.8.8:53
          iplogger.org
          dns
          082a2ce2dde8b3a50f2d49949.exe
          58 B
           74 B
           1
          1

          DNS Request

          iplogger.org

          DNS Response

          148.251.234.83

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt
          Filesize

          1KB

          MD5

          70d965f621da4a7bff6331a758557a7e

          SHA1

          da2b0d08f2366b40672b26ae8c06169ea0cd18b6

          SHA256

          18c52ada9b402085fdce9fa273b9d56ec35105d987b9a65ba76bb41ca57d1a20

          SHA512

          beeda74b145a104898329220c088d86b9fbe08e6800b9a58f4be62d0b3276cb66c41ac00a415d68b942a1f75f8e43486bdd4c9387dff3182e81ef7fa18949e3c

          Download Submit

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.