makop | f9c4ddad16bf3d2446639ed848334a2c1741af3fab677199c7aef6b5bf6f098e

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d28f799d666a23fda187776242073993.exe
Size

101KB
MD5

d28f799d666a23fda187776242073993
SHA1

33228c4a1dfe34c2ddd8400300890447dc951f7c
SHA256

f9c4ddad16bf3d2446639ed848334a2c1741af3fab677199c7aef6b5bf6f098e
SHA512

85c27c26b9d322da4ea228be4b23e4b9b036ab6fa61d211c1e150fb88af556ef1c28c1f038d354fb9b34a3eb4911f8e278aa42632b2a4eacc1cf511f67962ff5
SSDEEP

3072:ef1BDZ0kVB67Duw9AMc9sKXbxGM63ikxBbcy6TwYpgI:e9X0G1x363ikxewYpJ

Score

10^/10

makop ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (8221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1500	wbadmin.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	d28f799d666a23fda187776242073993.exe
2628	d28f799d666a23fda187776242073993.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	d28f799d666a23fda187776242073993.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 2988	1640	d28f799d666a23fda187776242073993.exe	28
PID 2628 set thread context of 1552	2628	d28f799d666a23fda187776242073993.exe	42

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXC	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\it-IT\Sidebar.exe.mui	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	d28f799d666a23fda187776242073993.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\readme-warning.txt	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00453_.WMF	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif.[33CEB606].[[email protected]].gamigin	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	d28f799d666a23fda187776242073993.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\readme-warning.txt	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineIdle.ico	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui	d28f799d666a23fda187776242073993.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\readme-warning.txt	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg	d28f799d666a23fda187776242073993.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\readme-warning.txt	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css	d28f799d666a23fda187776242073993.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\readme-warning.txt	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css	d28f799d666a23fda187776242073993.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	d28f799d666a23fda187776242073993.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2584	vssadmin.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d28f799d666a23fda187776242073993.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d28f799d666a23fda187776242073993.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d28f799d666a23fda187776242073993.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d28f799d666a23fda187776242073993.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d28f799d666a23fda187776242073993.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d28f799d666a23fda187776242073993.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	d28f799d666a23fda187776242073993.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1640	d28f799d666a23fda187776242073993.exe
2628	d28f799d666a23fda187776242073993.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2708	vssvc.exe
Token: SeRestorePrivilege	2708	vssvc.exe
Token: SeAuditPrivilege	2708	vssvc.exe
Token: SeBackupPrivilege	592	wbengine.exe
Token: SeRestorePrivilege	592	wbengine.exe
Token: SeSecurityPrivilege	592	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemProfilePrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeProfSingleProcessPrivilege	2748	WMIC.exe
Token: SeIncBasePriorityPrivilege	2748	WMIC.exe
Token: SeCreatePagefilePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeDebugPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeRemoteShutdownPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 33	2748	WMIC.exe
Token: 34	2748	WMIC.exe
Token: 35	2748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemProfilePrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeProfSingleProcessPrivilege	2748	WMIC.exe
Token: SeIncBasePriorityPrivilege	2748	WMIC.exe
Token: SeCreatePagefilePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeDebugPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeRemoteShutdownPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 33	2748	WMIC.exe
Token: 34	2748	WMIC.exe
Token: 35	2748	WMIC.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2988	1640	d28f799d666a23fda187776242073993.exe	28
PID 1640 wrote to memory of 2988	1640	d28f799d666a23fda187776242073993.exe	28
PID 1640 wrote to memory of 2988	1640	d28f799d666a23fda187776242073993.exe	28
PID 1640 wrote to memory of 2988	1640	d28f799d666a23fda187776242073993.exe	28
PID 1640 wrote to memory of 2988	1640	d28f799d666a23fda187776242073993.exe	28
PID 2988 wrote to memory of 2632	2988	d28f799d666a23fda187776242073993.exe	30
PID 2988 wrote to memory of 2632	2988	d28f799d666a23fda187776242073993.exe	30
PID 2988 wrote to memory of 2632	2988	d28f799d666a23fda187776242073993.exe	30
PID 2988 wrote to memory of 2632	2988	d28f799d666a23fda187776242073993.exe	30
PID 2632 wrote to memory of 2584	2632	cmd.exe	32
PID 2632 wrote to memory of 2584	2632	cmd.exe	32
PID 2632 wrote to memory of 2584	2632	cmd.exe	32
PID 2632 wrote to memory of 1500	2632	cmd.exe	35
PID 2632 wrote to memory of 1500	2632	cmd.exe	35
PID 2632 wrote to memory of 1500	2632	cmd.exe	35
PID 2632 wrote to memory of 2748	2632	cmd.exe	39
PID 2632 wrote to memory of 2748	2632	cmd.exe	39
PID 2632 wrote to memory of 2748	2632	cmd.exe	39
PID 2628 wrote to memory of 1552	2628	d28f799d666a23fda187776242073993.exe	42
PID 2628 wrote to memory of 1552	2628	d28f799d666a23fda187776242073993.exe	42
PID 2628 wrote to memory of 1552	2628	d28f799d666a23fda187776242073993.exe	42
PID 2628 wrote to memory of 1552	2628	d28f799d666a23fda187776242073993.exe	42
PID 2628 wrote to memory of 1552	2628	d28f799d666a23fda187776242073993.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
"C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
  "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
    "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe" n2988
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
      "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe" n2988
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2584
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Filesize
1KB

MD5
7c9051a155e7889cb2c4b685bf8d2efa

SHA1
471bac8c7ec83bd2b4b73b5c01d3bdb947542141

SHA256
02f0042dbbd15881b67a8f248db23f60c5968aa82202af0044ccadcd24883990

SHA512
da20c1c975f6c0fb99e91f3fc9dba7f0fd6049acf307d8d9a8ad076fa997021e5573ca0f61c31bb96ce58bfbeed2fd57317c9d8c23019e267f50fe4f9989bde7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56dc59188ec6b4fd0102a9b71de2eb62

SHA1
a1070a5d7ddec49c032e7386b5cb072b92d95091

SHA256
8e9769c9e6d98f9a0adfc6f001484aeee8414506487215765c12754c169aeeac

SHA512
8462d29690bd1c2c1dbc2563c03756ef0c5b721f63a871db896345b7cc5ab12d5f8685e3704ca9e07a2e3ee05e356cc8a926a9326271c9b730f86973804687d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7199.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7374.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\867146652

Filesize
55KB

MD5
5da47c9ae569364b603f95cb2641a182

SHA1
6d08c1dae770fd38dccf41c122ac9e5bd35e4902

SHA256
65a48291f8cb6ee3a84de819241653f3d1b7a1703cdf0520330660814af17801

SHA512
74a999fe7c18c376c7f073d19a8a70711d5b5817650a6168a290f0f9017b0de5a00604e30ab4c4fbb2e92963e13525ff3307104a12893ccb18659146a11ebc11

Download Submit
C:\Users\Admin\AppData\Roaming\867146652

Filesize
56KB

MD5
1704379ece40de00a165b1adfd090750

SHA1
71ed551f60abeaaac4af8376086368616d43a0e3

SHA256
9ad0e338859494fe621785cbaac57eec773b31ffeb27a651bcc2582375a94907

SHA512
b05a25e8969cda54b372c949d74acc375bbbc5811a15529c09398a01b31c8f4842df71b3db9043e3946ed1d4944dbe919d1dae0fcb3ce978f8c1b0ae931d1db9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

Filesize
1KB

MD5
8cc1ec0e01e2454051f89239bfd88231

SHA1
00809a78086a02f1a8593a05dcac77b229fb38a7

SHA256
5310f497e94a4d24186f7a35467d7ebf29754ca947dcce722888981575a9b567

SHA512
443ed81893bed722c7efa1bb3efe6dd9b57192a8aff836853806a06ee369d74aa0f607815b3d3e01a6bda3a9ff4bd5b23dddcd79055d78bf7a7043683331c832

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

Filesize
1KB

MD5
7e2f209e41a2297d24c7b07b2eb17cac

SHA1
1ba44f1aab39dd54676557092b61662e43ab6a8c

SHA256
47e7741f06901f613db00a4e21e1cfc03a1c93439aa2f548b56218de680932db

SHA512
c32c4f802134ddecba5afdc748a2154b71ee6ca5a17a4a14d5b88bbc198b5e691ee4d19800401a542fe5f40c11aa7e2ca9bfc1e700f5a53cfd792201fb99b410

Download Submit
\Users\Admin\AppData\Local\Temp\nsy565B.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1552-477-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1552-1061-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1552-1062-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-976-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2988-17500-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download