Overview

overview

10

Static

static

3

d28f799d66...93.exe

windows7-x64

10

d28f799d66...93.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2024 04:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d28f799d666a23fda187776242073993.exe

  • Size

    101KB

  • MD5

    d28f799d666a23fda187776242073993

  • SHA1

    33228c4a1dfe34c2ddd8400300890447dc951f7c

  • SHA256

    f9c4ddad16bf3d2446639ed848334a2c1741af3fab677199c7aef6b5bf6f098e

  • SHA512

    85c27c26b9d322da4ea228be4b23e4b9b036ab6fa61d211c1e150fb88af556ef1c28c1f038d354fb9b34a3eb4911f8e278aa42632b2a4eacc1cf511f67962ff5

  • SSDEEP

    3072:ef1BDZ0kVB67Duw9AMc9sKXbxGM63ikxBbcy6TwYpgI:e9X0G1x363ikxewYpJ

Score
10/10
makopransomware

Malware Config

Extracted

Path

C:\Program Files\Common Files\DESIGNER\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "gamigin" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (5887) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
    "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
      "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe"
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
        "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe" n5024
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe
          "C:\Users\Admin\AppData\Local\Temp\d28f799d666a23fda187776242073993.exe" n5024
          4⤵
            PID:5772
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3724
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:4928
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:4052
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4928
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3200
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3176
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:3316
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:284
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3880 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:5728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\DESIGNER\readme-warning.txt
          Filesize

          1KB

          MD5

          7c9051a155e7889cb2c4b685bf8d2efa

          SHA1

          471bac8c7ec83bd2b4b73b5c01d3bdb947542141

          SHA256

          02f0042dbbd15881b67a8f248db23f60c5968aa82202af0044ccadcd24883990

          SHA512

          da20c1c975f6c0fb99e91f3fc9dba7f0fd6049acf307d8d9a8ad076fa997021e5573ca0f61c31bb96ce58bfbeed2fd57317c9d8c23019e267f50fe4f9989bde7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsi826F.tmp\System.dll
          Filesize

          11KB

          MD5

          fccff8cb7a1067e23fd2e2b63971a8e1

          SHA1

          30e2a9e137c1223a78a0f7b0bf96a1c361976d91

          SHA256

          6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

          SHA512

          f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\867146652
          Filesize

          55KB

          MD5

          5da47c9ae569364b603f95cb2641a182

          SHA1

          6d08c1dae770fd38dccf41c122ac9e5bd35e4902

          SHA256

          65a48291f8cb6ee3a84de819241653f3d1b7a1703cdf0520330660814af17801

          SHA512

          74a999fe7c18c376c7f073d19a8a70711d5b5817650a6168a290f0f9017b0de5a00604e30ab4c4fbb2e92963e13525ff3307104a12893ccb18659146a11ebc11

          Download Submit

        • memory/5024-20-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5024-10-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5024-9-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5024-94-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5024-7-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5024-13482-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5772-1365-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5772-1368-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5772-4726-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/5772-7080-0x0000000000400000-0x000000000041E000-memory.dmp

          Filesize

          120KB

          Download