Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

3b15b66bf6...1e.exe

windows7-x64

10

3b15b66bf6...1e.exe

windows10-1703-x64

10

3b15b66bf6...1e.exe

windows10-2004-x64

10

3b15b66bf6...1e.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/01/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e.exe

  • Size

    34KB

  • MD5

    5bcf1a6a65d8d0d2ad1c2a78935322b5

  • SHA1

    c5af15f8170e3840ba756397cb1548fa9489fae9

  • SHA256

    3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e

  • SHA512

    f21e3bc29b60d3ed248dd048774823d013beb43f2fcf7e560774f1987dc07ff42de2fb68a8dd3bad0653a8587cca9b9f18e0671342c81d8c5698b97a135eb639

  • SSDEEP

    768:24HLd8Vdh1qV1Esg8kdJCzSIZHkKRV6kNDB3eHkkb/u:2Q8VgV1U8ZGURVFB3eH/u

Score
10/10
makoppersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\scoped_dir60_1583542252\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8220) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 30 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e.exe
    "C:\Users\Admin\AppData\Local\Temp\3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e.exe
      "C:\Users\Admin\AppData\Local\Temp\3b15b66bf6a7d7ebab6437906686037f23a797d15e0fbff3d6741d3f58db8f1e.exe" n1240
      2⤵
        PID:3452
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2424
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:3252
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2392
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4684
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3436
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2592
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:1488
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3196
      • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
        1⤵
        • Drops file in Windows directory
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
        Filesize

        16KB

        MD5

        94d1a1b39b9bb9c88015ca4757e1294c

        SHA1

        dcb715302c0f45b8acf2d95b97cc043f62fd9648

        SHA256

        03950df0172799444e603fdc030a2e9500a24cf83e6f166ca110ba03737acc30

        SHA512

        21a057cd9efc7791145fefc613523b829064a6dc7d934707fb40f5eb3ef2bf14f730cbf2aa2bad8fad490ccaf4e9e8dab7389b6846a8bbcd7afed2b4fdd326cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db
        Filesize

        97KB

        MD5

        5625e1c164b189a617fac8fc7379a934

        SHA1

        3f4e727b39c8812273ef3df800840acc1ac67663

        SHA256

        6a94cc56cb680a0b19ef7cee2b85d6918bda77c100ba12e3a09974a7f7dca494

        SHA512

        9079a725302cba01aca16e9c788eb9a6f895c14a61184d2f9daba4773e528e046cc0610deee5a55b3b54348ea82511a497c4fad657c4650979842ef99271c261

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db
        Filesize

        92KB

        MD5

        46dfcdd2f48a9fc76108103e5ffbfb95

        SHA1

        aec157649a3573ca99212325af29b957b5160849

        SHA256

        2405d0e1d948c3aecd1dffc9e9916b5a350316647b98917e6ff969c431f5d12f

        SHA512

        8e44b2031db624870cd660f5ef495cc4714b43341148532b107a9219bdc2c8901989eb570f39a645a3976c06ee877f46fac7bfb0c927773b5cf7cc38a8fca18d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.db
        Filesize

        40KB

        MD5

        6018c8a3bd8bf9d7b05e7ec33bd12643

        SHA1

        6d883f62b579494420af1f71cf8d6e748c4e988d

        SHA256

        ee040676650b22c692be589a46d313a0cfc9d2174a5980247febec8059977df5

        SHA512

        cb7a0cc97b23f1748df904ab84023788a3198e86e2797d0bff840b9b2cff6528e976284703fdbb792d1a0525f3afede4374cf98d8e59dbf0c0a6750171a90449

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
        Filesize

        1024KB

        MD5

        9daff4c8ad6fc274fe7ff2eaa16dfdeb

        SHA1

        b21bc8ce6b49e58d217186af0b4dce3a4e16aaec

        SHA256

        f02eceb4bbadf8794c345d90ca37419d613134ba80f861d400031c3903380f61

        SHA512

        d17ec1fb1f4067e0bf6baac08b00d4d0f8d77d6f9afc566e86f5b9db18b62661d1c9d38e001bed165d3da9533d12c44c0bcf6273b958d017de83d0232bb08f95

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
        Filesize

        1024KB

        MD5

        6ddd214da81d5fbb73cb31e0c033da1b

        SHA1

        a25f70fd7e0de2ed8d518a88d5ef3315db8e903f

        SHA256

        403bd11814c741e96cefe47df69ed7fe9951c2be4036096085730a80fe182306

        SHA512

        218cbf31e537a495610eb4e23aa51a8252708c24501c840cd6f8aeacb88988b357c950e25069d6aca1d1e884f152e387a2efd83c8be9f05b3c03a12bfcf99522

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
        Filesize

        1024KB

        MD5

        f5fef41e3d9b7053177844b3f94d8b61

        SHA1

        c0c6384f2e0b56c6ac0b999d8584a2bc9509d20e

        SHA256

        68431ab4b4a76a1a635df107e402a68d272c88729c157e5de0fbdf84523b879e

        SHA512

        7039fbe40f264b4a79df4219fbee8952ad0d05a2501cf9ca5cfd28adc86558dc6df1a2568e486d06b6f50566f1ce74b7b9d0796891b5d1dbabcf077fa7dbd885

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
        Filesize

        1024KB

        MD5

        571a1748c4ca653619eb26c2a5a48d00

        SHA1

        9842699987603f5ea52d5893abd18768ea071522

        SHA256

        062dbaef67ca50cca91823659ecafbdd1873b62abffadc83429c97d38d7bbbe0

        SHA512

        8643ea15ee85dced763ca3e546853f96b239dff279f00063dfcf9e35cdf9d8fddce49477ba1c6938c39ff6441b8d1f6caf96f0cf77443588b33744fc7aab8c4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        7KB

        MD5

        75430994a9d6eb12d7d466adc7721020

        SHA1

        0f304f258fec9553341dffe96b752e9e086d265b

        SHA256

        39a780d6a9729f61a05bec79ae999168eaab1a60ad23ba6e63387fc084f1f142

        SHA512

        7ddda9b9d99cb59f11b079830268ad750b99c8368cffa00e552197816b829e307d2879d039023485ab6a5c21df7627376376c31a81966ea5dcad130848b18b8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        7KB

        MD5

        9222892f3034ae247afee9b34c665c04

        SHA1

        8239a192f69398128931ad09d557fd4112f94fa4

        SHA256

        46c389b2e7cd73343c57c2ea6009f75db7f591ace23e94f6c942f6d3441cb556

        SHA512

        dd4949831cef9f5b0b63435baf1ebfec47644308b404d2cec38037c0504904c2de4f08c2a482f9acc948f940f111a65be8072243775abe000616b6c382bd98ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        7KB

        MD5

        7488505d20d4b077a3cbed5a91f40987

        SHA1

        a7efb2a0585fc175f6bb8519dbaebb43d0d373a6

        SHA256

        b92f064586324965cfc9aab86cb152e1485dd32e645636d88269d0fc72c068fe

        SHA512

        da7405aa8acb0e377e1ccb63e5f95985b8ad1c17585286bbf577017d42fdda15318714529b1f62633b8b0a809556fc16c777148c9bfe52799bda15e7aa3a73cc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
        Filesize

        1024KB

        MD5

        7ed9a4e8b986796993207e36e51b573b

        SHA1

        13935b20ba4e937ae540e45798712d72030d76a5

        SHA256

        898cbb634e17962c00ad37549f48220280cabb72e67b794b1b9b4577f7ed520b

        SHA512

        dbf3a85d7365ed151eb4cd3d8f352820232c41ece68862ba789101fd96e6d21507df267e6713435a0fe0ea9da8839a51dd9056f1dcaf0e644e32fe23cbf1b7e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
        Filesize

        24B

        MD5

        ae6fbded57f9f7d048b95468ddee47ca

        SHA1

        c4473ea845be2fb5d28a61efd72f19d74d5fc82e

        SHA256

        d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

        SHA512

        f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
        Filesize

        7KB

        MD5

        e5a5b5622d830be538f845db9d65bbdc

        SHA1

        4c6c9f7b097d7abf3cc438be5b4bd8f591fed199

        SHA256

        e32faaa8d5ec0c7b2dae1b98be4c3b11f5f47cbd444214540e496e643fd8092a

        SHA512

        0c459acb6d8c7873f3e2f1cc2d9542ff29825bd502def4c7ac9e1c82af159f868b81832e06b076dd7f65ee712c67e440f54d24e20f6bed013def3486867afae2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
        Filesize

        7KB

        MD5

        7f185571308e75f753330bd6bc8522ce

        SHA1

        f4a125d49ec032399dd1e7c5502a0f7d9dd74c17

        SHA256

        df3b832c437f0c0157cdfa7591964d7da0788f10f7d1e44b0eb0cc0a9305adf3

        SHA512

        0a834338a133e5544bdc13bae16a376f486902de398d6874c2d32dca8dd4fad49cc8587fa200daa66cb82876683043c8a9e19e9c751a8e13b3ccf4822538ab6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4032412167\2900507189.pri
        Filesize

        97KB

        MD5

        d440e2a255f88db2cd9ed7352cb2b60a

        SHA1

        b06d3a4a4d030272f98e121f771af88f7b198c46

        SHA256

        7f18cbd2dc6db079be126f4d99c205a4347dfd6558ff47a60301621a70b0ebfe

        SHA512

        bef450b7bbe32c9d2542fedf70e514b898b2146011ee0cef66dfe4a46e26c76f639b4d11bd7efc8f29563b6e7ed7312f6dfb94b1cdae0b106ff0698a455de8a4

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Windows\1601268389\3877292338.pri
        Filesize

        162KB

        MD5

        c737025493c11c1668e636e1c7c7a298

        SHA1

        64364853009fb7e11c9c127c843682860e004519

        SHA256

        9f636d5bd1d92d97385e6cd745d4786d23de782195b8966a0d341055748b03ce

        SHA512

        83521b90c3028d7a3bdc84dd8a63286988f3c31ae2e377d70baf26a3ff054e5f282c39f494a04517ab9dfb765569a65745b3f42bd7c15a18cf4922f8d81bb4fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2e6e0584-0656-4c8e-9c28-3bd3ca29eb6e\3950266016.pri
        Filesize

        3KB

        MD5

        2bf467eb5b9849766bbeaf369f660932

        SHA1

        379ecc09f68d991e26b042e05733249f24abf6f1

        SHA256

        d94477eb5e0e2211a80cceeaaa6e4ca2d3a2fa601399a3c3d305b91c79f729fb

        SHA512

        a61ee3201065c8e6a486d7e51273ff753364af636247cb7181fa92d0c21a60e76b5c7b46a21cd6e0c6b8de7b32f92738129983e7ccb7ac992cd1061b4aa33f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2e6e0584-0656-4c8e-9c28-3bd3ca29eb6e\3950266016.pri
        Filesize

        3KB

        MD5

        d6e7090ef2d0f054b6d8211a282a5aaf

        SHA1

        5832b3dc392ffb4e7124d3f962f7c1263223a2d6

        SHA256

        a9316d42639bb806422fd042846c3f7ca6afab8b5c95b106c7baf78c9347d59b

        SHA512

        28781d78da6b600a75592e0675699363220715d1ee2f19456bfafd818dbefadd7a4a128daa7955bc01be37abd690ba4212c9e6334df7809e3db6be16aa90c468

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\de572f05-48d6-4fa5-a956-2494d907c05c\3950266016.pri
        Filesize

        3KB

        MD5

        41437af35383c0f5c5b7d862ec3fdf8c

        SHA1

        6175aa3b861629913e4149685aaed912cecb458d

        SHA256

        439f5268eae8e847ad5ba46bf2798369773f8a83d065ed6f3bbd196f7f6457de

        SHA512

        14069d282ec9ba034f5a9bbb81d9f19434bb37b9d998ca0bc0a4dd40a593b4fbac20c198cc81d17d226b92686f44a95bf035c0a040c1a9ab2a24a911715091a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\scoped_dir60_1583542252\readme-warning.txt
        Filesize

        1KB

        MD5

        77a68ff56146027e479d7fb6c84c4aa4

        SHA1

        d58ca47125ce00bf752bd66c378ace3559b98689

        SHA256

        fb25fd1761c66f21136889ce4f5a15c84e60e47e26595ae1b77f5f4f63d95f7f

        SHA512

        f47b954833905f6e6d17f98d882f460c7fd73e47efd48a9ddd01a16410c0754d240dab6fc45ae0afa3516f9dea24895619fdcbd96e232c5c3347e23fe485830e

        Download Submit

      • memory/2292-18844-0x000002136FA30000-0x000002136FA50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2292-18849-0x000002136FCE0000-0x000002136FD00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3196-18832-0x0000000001080000-0x0000000001081000-memory.dmp

        Filesize

        4KB

        Download