makop

General

Target

48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521
Size

1.9MB
Sample

240203-vn6wmagedk
MD5

40ec0e62856036983be04f31ce670fb9
SHA1

0d04b8139fe71a1736a8168fbf072df61d7d7bd6
SHA256

48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521
SHA512

1094d49d3fcb757fe2d1c49d1e441ab086f4cff80ffd8572b0017546350838dcba83f102796009d811a360f6825928c13e3697b7dd462627bb83fb92534fc806
SSDEEP

192:z/TeYoeb67sc8+otH8SESePujd2kTCMZehZtzMuuQzBLerxA/GWeGMEd022XbTFi:z/yYoebe5JotHESxjuM63KI

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Sharing

General

Malware Config

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

Turns off Windows Defender SpyNet reporting

Windows security bypass

Deletes shadow copies

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables embedding command execution via IExecuteCommand COM object

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables potentially checking for WinJail sandbox window

Nirsoft

Renames multiple (8212) files with added filename extension

Deletes backup catalog

Modifies Installed Components in the registry

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2