Overview

overview

10

Static

static

10

eee8150ba9...73.exe

windows7-x64

10

eee8150ba9...73.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eee8150ba918a7ed099074a1b87a97b3c7f6648a763eedd7096acf16f40e0a73

  • Size

    34KB

  • Sample

    240203-vr93fsgfdn

  • MD5

    951dce6731c5f3d2dae570597bc19d59

  • SHA1

    cb32d6679e51d454bc9b3aa5ceb071302cbe2147

  • SHA256

    eee8150ba918a7ed099074a1b87a97b3c7f6648a763eedd7096acf16f40e0a73

  • SHA512

    3ea6dca684a7671e3371740f9d91f8bc6b10119ae492949585e1bc8789b56f6d110f833f8684489fbfc4dda3d733fc127c242ae840cd262a89b44952dcc4fb09

  • SSDEEP

    768:N+0DG/+G4RmQj4HjKbkpSndT6Rwh1llAok5zHDKZNhfwPdrQ+:pDGyRmQjoK9SwvDAh9eNJw1rQ+

Score
10/10
makopransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\readme-warning.txt

Ransom Note
All of your files have been encrypted. Your backup files as well. We have exfiltrated tons of your private data to our servers including data of your clients, dont believe us ? Read on. In order to restore your operations, avoid leaking/selling your data, and keep your business reputation intact, contact us directly on the below TOX ID as soon as possible. 1) TOX Download: https://tox.chat/ 2) TOX ID: 4A7F41CC6A5B87AF99450066F313C224D4E0E5501414670A8C5B802403E6292F859F178BB85F 3) Install TOX and add the TOX ID in the step 2 4) Share your personal ID over TOX chat (Do not send hello without your personal ID provided below) Upon contacting us, proof will be provided that we can decrypt your data, and samples of exfiltrated confidential information will also be provided. Although its not our intention , if you do not cooperate , we will not hesitate to make your data public including any confidential data , sell to your competitors/bidders , or send your clients their data just to make you look really bad and lose your clients trust , or even worse , being prosecuted for not telling your affected clients that their data has been compromised. Talking to law enforcement will only ensure that you don't get a decryption key and put your business reputation on the line. Attention! - Do not rename encrypted files. - Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 469965A0
URLs

https://tox.chat/

Extracted

Path

C:\Program Files\Common Files\DESIGNER\readme-warning.txt

Ransom Note
All of your files have been encrypted. Your backup files as well. We have exfiltrated tons of your private data to our servers including data of your clients, dont believe us ? Read on. In order to restore your operations, avoid leaking/selling your data, and keep your business reputation intact, contact us directly on the below TOX ID as soon as possible. 1) TOX Download: https://tox.chat/ 2) TOX ID: 4A7F41CC6A5B87AF99450066F313C224D4E0E5501414670A8C5B802403E6292F859F178BB85F 3) Install TOX and add the TOX ID in the step 2 4) Share your personal ID over TOX chat (Do not send hello without your personal ID provided below) Upon contacting us, proof will be provided that we can decrypt your data, and samples of exfiltrated confidential information will also be provided. Although its not our intention , if you do not cooperate , we will not hesitate to make your data public including any confidential data , sell to your competitors/bidders , or send your clients their data just to make you look really bad and lose your clients trust , or even worse , being prosecuted for not telling your affected clients that their data has been compromised. Talking to law enforcement will only ensure that you don't get a decryption key and put your business reputation on the line. Attention! - Do not rename encrypted files. - Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 6E4741DF
URLs

https://tox.chat/

Targets

    • Target

      eee8150ba918a7ed099074a1b87a97b3c7f6648a763eedd7096acf16f40e0a73

    • Size

      34KB

    • MD5

      951dce6731c5f3d2dae570597bc19d59

    • SHA1

      cb32d6679e51d454bc9b3aa5ceb071302cbe2147

    • SHA256

      eee8150ba918a7ed099074a1b87a97b3c7f6648a763eedd7096acf16f40e0a73

    • SHA512

      3ea6dca684a7671e3371740f9d91f8bc6b10119ae492949585e1bc8789b56f6d110f833f8684489fbfc4dda3d733fc127c242ae840cd262a89b44952dcc4fb09

    • SSDEEP

      768:N+0DG/+G4RmQj4HjKbkpSndT6Rwh1llAok5zHDKZNhfwPdrQ+:pDGyRmQjoK9SwvDAh9eNJw1rQ+

    Score
    10/10
    makopransomwarespywarestealer

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

      ransomwaremakop

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (8222) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks