Overview

overview

10

Static

static

3

5ac385a18e...3f.exe

windows7-x64

10

5ac385a18e...3f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5ac385a18e905a102641064be708783f

  • Size

    171KB

  • Sample

    240114-kbqnrsfhf2

  • MD5

    5ac385a18e905a102641064be708783f

  • SHA1

    dda176956d5df2fda89aa567c610dd73141a509f

  • SHA256

    c648f1cae038bc878bc5f41fc7696112dcdb953cc2af59235c3c9708bd562f7a

  • SHA512

    088f28fd4757b2d35110c3088231a7d2d0c95817172cf72a62daf5e8f850ff62a2204208848f9ed0f7ec8a7b145e44497658649a45bf898c4886abd76a0b443d

  • SSDEEP

    3072:ovGyYiSDnt195GWp1icKAArDZz4N9GhbkrNEk1X8z1Adh6rQI4:M4Lp0yN90QEhjrQf

Score
10/10
makoppersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\readme-warning.txt

Ransom Note
All of your files have been encrypted. Your backup files as well. We have exfiltrated tons of your private data to our servers including data of your clients, dont believe us ? Read on. In order to restore your operations, avoid leaking/selling your data, and keep your business reputation intact, contact us directly on the below TOX ID as soon as possible. 1) TOX Download: https://tox.chat/ 2) TOX ID: 4A7F41CC6A5B87AF99450066F313C224D4E0E5501414670A8C5B802403E6292F859F178BB85F 3) Install TOX and add the TOX ID in the step 2 4) Share your personal ID over TOX chat (Do not send hello without your personal ID provided below) Upon contacting us, proof will be provided that we can decrypt your data, and samples of exfiltrated confidential information will also be provided. Although its not our intention , if you do not cooperate , we will not hesitate to make your data public including any confidential data , sell to your competitors/bidders , or send your clients their data just to make you look really bad and lose your clients trust , or even worse , being prosecuted for not telling your affected clients that their data has been compromised. Talking to law enforcement will only ensure that you don't get a decryption key and put your business reputation on the line. Attention! - Do not rename encrypted files. - Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 57200DC3
URLs

https://tox.chat/

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\readme-warning.txt

Ransom Note
All of your files have been encrypted. Your backup files as well. We have exfiltrated tons of your private data to our servers including data of your clients, dont believe us ? Read on. In order to restore your operations, avoid leaking/selling your data, and keep your business reputation intact, contact us directly on the below TOX ID as soon as possible. 1) TOX Download: https://tox.chat/ 2) TOX ID: 4A7F41CC6A5B87AF99450066F313C224D4E0E5501414670A8C5B802403E6292F859F178BB85F 3) Install TOX and add the TOX ID in the step 2 4) Share your personal ID over TOX chat (Do not send hello without your personal ID provided below) Upon contacting us, proof will be provided that we can decrypt your data, and samples of exfiltrated confidential information will also be provided. Although its not our intention , if you do not cooperate , we will not hesitate to make your data public including any confidential data , sell to your competitors/bidders , or send your clients their data just to make you look really bad and lose your clients trust , or even worse , being prosecuted for not telling your affected clients that their data has been compromised. Talking to law enforcement will only ensure that you don't get a decryption key and put your business reputation on the line. Attention! - Do not rename encrypted files. - Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 0FFF1DDF
URLs

https://tox.chat/

Targets

    • Target

      5ac385a18e905a102641064be708783f

    • Size

      171KB

    • MD5

      5ac385a18e905a102641064be708783f

    • SHA1

      dda176956d5df2fda89aa567c610dd73141a509f

    • SHA256

      c648f1cae038bc878bc5f41fc7696112dcdb953cc2af59235c3c9708bd562f7a

    • SHA512

      088f28fd4757b2d35110c3088231a7d2d0c95817172cf72a62daf5e8f850ff62a2204208848f9ed0f7ec8a7b145e44497658649a45bf898c4886abd76a0b443d

    • SSDEEP

      3072:ovGyYiSDnt195GWp1icKAArDZz4N9GhbkrNEk1X8z1Adh6rQI4:M4Lp0yN90QEhjrQf

    Score
    10/10
    makoppersistenceransomwarespywarestealer

    • MAKOP ransomware payload

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

      ransomwaremakop

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (8203) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks