General
-
Target
e6ec699b6839f02fec298d786d95244e
-
Size
2.5MB
-
Sample
231228-syqahsabem
-
MD5
e6ec699b6839f02fec298d786d95244e
-
SHA1
f1c26f1a8729f075f2f49c849be1d8b817bf1b6c
-
SHA256
d86c9114ecca7a31539278705d7e50f9674a562e1382a6053e735d9d2b30942a
-
SHA512
e579bbaa11529b8bdcb33771ef39e1b1461aa927bf7ce7f24c633aff2b14fe5367e0bdb259354942a7d95f82f34960f110a1bfad1db55b819de486f1a6d4971c
-
SSDEEP
1536:Hn/Ay6PcOtb0LO6kWkVc/HfvfNdmNzyrhe:Hn/A7
Malware Config
Targets
-
-
Target
e6ec699b6839f02fec298d786d95244e
-
Size
2.5MB
-
MD5
e6ec699b6839f02fec298d786d95244e
-
SHA1
f1c26f1a8729f075f2f49c849be1d8b817bf1b6c
-
SHA256
d86c9114ecca7a31539278705d7e50f9674a562e1382a6053e735d9d2b30942a
-
SHA512
e579bbaa11529b8bdcb33771ef39e1b1461aa927bf7ce7f24c633aff2b14fe5367e0bdb259354942a7d95f82f34960f110a1bfad1db55b819de486f1a6d4971c
-
SSDEEP
1536:Hn/Ay6PcOtb0LO6kWkVc/HfvfNdmNzyrhe:Hn/A7
Score10/10-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Modifies Windows Defender Real-time Protection settings
-
Turns off Windows Defender SpyNet reporting
-
Windows security bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Nirsoft
-
Renames multiple (212) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog
Uses wbadmin.exe to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Windows security modification
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-