Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/12/2023, 17:59
Behavioral task
behavioral1
Sample
2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe
Resource
win10v2004-20231215-en
General
-
Target
2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe
-
Size
42KB
-
MD5
c3eb80e8aa150aa10b82a5975c17a116
-
SHA1
3d8e7c04891606b47c27e8225c27f385de3100e5
-
SHA256
92cc252d8eebc2d64aaf63f383eb549e46d115409ec2d537a3ff935b3f1ff40b
-
SHA512
b676cfef912f24aa2e96ca2bc0b73e808702450f1d4439498f0ccd53248f4b6d88fa753d09e155da5d08bf3d77d794c36a16678774402f327263a3175c5e520d
-
SSDEEP
768:5O1oR/fVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDX5aBd69O59GKbup7IU5F:5FS1FKnDtkuImX4jHGKbj8
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (3514) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2740 wbadmin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Srednekolymsk 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File created C:\Program Files\Microsoft Games\More Games\en-US\+README-WARNING+.txt 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Swift_Current 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\net.properties 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\+README-WARNING+.txt 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\+README-WARNING+.txt 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\+README-WARNING+.txt 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\+README-WARNING+.txt 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\bin\fxplugins.dll 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jre7\LICENSE 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1184 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2088 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 1944 vssvc.exe Token: SeRestorePrivilege 1944 vssvc.exe Token: SeAuditPrivilege 1944 vssvc.exe Token: SeBackupPrivilege 2560 wbengine.exe Token: SeRestorePrivilege 2560 wbengine.exe Token: SeSecurityPrivilege 2560 wbengine.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2512 2088 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe 29 PID 2088 wrote to memory of 2512 2088 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe 29 PID 2088 wrote to memory of 2512 2088 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe 29 PID 2088 wrote to memory of 2512 2088 2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe 29 PID 2512 wrote to memory of 1184 2512 cmd.exe 31 PID 2512 wrote to memory of 1184 2512 cmd.exe 31 PID 2512 wrote to memory of 1184 2512 cmd.exe 31 PID 2512 wrote to memory of 2740 2512 cmd.exe 34 PID 2512 wrote to memory of 2740 2512 cmd.exe 34 PID 2512 wrote to memory of 2740 2512 cmd.exe 34 PID 2512 wrote to memory of 2544 2512 cmd.exe 38 PID 2512 wrote to memory of 2544 2512 cmd.exe 38 PID 2512 wrote to memory of 2544 2512 cmd.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe"C:\Users\Admin\AppData\Local\Temp\2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe"C:\Users\Admin\AppData\Local\Temp\2023-12-24_c3eb80e8aa150aa10b82a5975c17a116_makop.exe" n20882⤵PID:1304
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1184
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2740
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2640
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:3060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD519a625ff7fbf27805327d707e9bb5521
SHA1f5d343259742dffbeb11c7df95217cd12213d537
SHA2560c8362e1cedf4779f508902f6826fdb86fd0560afb91d788079e1652830adc58
SHA512d9eca003da692c475063f80640fbb12df8c17f5fa033bc381de6d4801b8e26c8f8a19d2554ff19e7a76b1b26bb776f8988bc1e4af7df18bd0965249f7c9cb967