makop | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
144s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Size

114KB
MD5

b33e8ce6a7035bee5c5472d5b870b68a
SHA1

783d08fe374f287a4e0412ed8b7f5446c6e65687
SHA256

2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
SHA512

78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
SSDEEP

3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb

Score

10^/10

makop defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2628 wbadmin.exe
Loads dropped DLL 3 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

pid process

2052 MAKOP_27_10_2020_115KB.exe
1960 MAKOP_27_10_2020_115KB.exe
2356 MAKOP_27_10_2020_115KB.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2628	wbadmin.exe

pid	process
2052	MAKOP_27_10_2020_115KB.exe
1960	MAKOP_27_10_2020_115KB.exe
2356	MAKOP_27_10_2020_115KB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\""	MAKOP_27_10_2020_115KB.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

MAKOP_27_10_2020_115KB.exe

description ioc process

File opened (read-only) \??\F: MAKOP_27_10_2020_115KB.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 iplogger.org
5 iplogger.org

description	ioc	process
File opened (read-only)	\??\F:	MAKOP_27_10_2020_115KB.exe

flow	ioc
4	iplogger.org
5	iplogger.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

description	pid	process	target process
PID 2052 set thread context of 1888	2052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1960 set thread context of 2548	1960	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2356 set thread context of 2676	2356	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe

Drops file in Program Files directory 64 IoCs

Processes:

MAKOP_27_10_2020_115KB.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVZIP.DIC	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01044_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157831.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXT	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0336075.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	MAKOP_27_10_2020_115KB.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\readme-warning.txt	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00790_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran	MAKOP_27_10_2020_115KB.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	MAKOP_27_10_2020_115KB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAKOP_27_10_2020_115KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAKOP_27_10_2020_115KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAKOP_27_10_2020_115KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAKOP_27_10_2020_115KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAKOP_27_10_2020_115KB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAKOP_27_10_2020_115KB.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2788 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MAKOP_27_10_2020_115KB.exe

pid process

1888 MAKOP_27_10_2020_115KB.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

pid process

2052 MAKOP_27_10_2020_115KB.exe
1960 MAKOP_27_10_2020_115KB.exe
2356 MAKOP_27_10_2020_115KB.exe

pid	process
2788	vssadmin.exe

pid	process
1888	MAKOP_27_10_2020_115KB.exe

pid	process
2052	MAKOP_27_10_2020_115KB.exe
1960	MAKOP_27_10_2020_115KB.exe
2356	MAKOP_27_10_2020_115KB.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	572	wbengine.exe
Token: SeRestorePrivilege	572	wbengine.exe
Token: SeSecurityPrivilege	572	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1860	WMIC.exe
Token: SeSecurityPrivilege	1860	WMIC.exe
Token: SeTakeOwnershipPrivilege	1860	WMIC.exe
Token: SeLoadDriverPrivilege	1860	WMIC.exe
Token: SeSystemProfilePrivilege	1860	WMIC.exe
Token: SeSystemtimePrivilege	1860	WMIC.exe
Token: SeProfSingleProcessPrivilege	1860	WMIC.exe
Token: SeIncBasePriorityPrivilege	1860	WMIC.exe
Token: SeCreatePagefilePrivilege	1860	WMIC.exe
Token: SeBackupPrivilege	1860	WMIC.exe
Token: SeRestorePrivilege	1860	WMIC.exe
Token: SeShutdownPrivilege	1860	WMIC.exe
Token: SeDebugPrivilege	1860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1860	WMIC.exe
Token: SeRemoteShutdownPrivilege	1860	WMIC.exe
Token: SeUndockPrivilege	1860	WMIC.exe
Token: SeManageVolumePrivilege	1860	WMIC.exe
Token: 33	1860	WMIC.exe
Token: 34	1860	WMIC.exe
Token: 35	1860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1860	WMIC.exe
Token: SeSecurityPrivilege	1860	WMIC.exe
Token: SeTakeOwnershipPrivilege	1860	WMIC.exe
Token: SeLoadDriverPrivilege	1860	WMIC.exe
Token: SeSystemProfilePrivilege	1860	WMIC.exe
Token: SeSystemtimePrivilege	1860	WMIC.exe
Token: SeProfSingleProcessPrivilege	1860	WMIC.exe
Token: SeIncBasePriorityPrivilege	1860	WMIC.exe
Token: SeCreatePagefilePrivilege	1860	WMIC.exe
Token: SeBackupPrivilege	1860	WMIC.exe
Token: SeRestorePrivilege	1860	WMIC.exe
Token: SeShutdownPrivilege	1860	WMIC.exe
Token: SeDebugPrivilege	1860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1860	WMIC.exe
Token: SeRemoteShutdownPrivilege	1860	WMIC.exe
Token: SeUndockPrivilege	1860	WMIC.exe
Token: SeManageVolumePrivilege	1860	WMIC.exe
Token: 33	1860	WMIC.exe
Token: 34	1860	WMIC.exe
Token: 35	1860	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

MAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.execmd.exeMAKOP_27_10_2020_115KB.exeMAKOP_27_10_2020_115KB.exe

description	pid	process	target process
PID 2052 wrote to memory of 1888	2052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	2052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	2052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	2052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	2052	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1888 wrote to memory of 1124	1888	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 1888 wrote to memory of 1124	1888	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 1888 wrote to memory of 1124	1888	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 1888 wrote to memory of 1124	1888	MAKOP_27_10_2020_115KB.exe	cmd.exe
PID 1124 wrote to memory of 2788	1124	cmd.exe	vssadmin.exe
PID 1124 wrote to memory of 2788	1124	cmd.exe	vssadmin.exe
PID 1124 wrote to memory of 2788	1124	cmd.exe	vssadmin.exe
PID 1124 wrote to memory of 2628	1124	cmd.exe	wbadmin.exe
PID 1124 wrote to memory of 2628	1124	cmd.exe	wbadmin.exe
PID 1124 wrote to memory of 2628	1124	cmd.exe	wbadmin.exe
PID 1124 wrote to memory of 1860	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1860	1124	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1860	1124	cmd.exe	WMIC.exe
PID 1960 wrote to memory of 2548	1960	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	1960	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	1960	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	1960	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	1960	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	2356	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	2356	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	2356	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	2356	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	2356	MAKOP_27_10_2020_115KB.exe	MAKOP_27_10_2020_115KB.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
  "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888
      4⤵
      System Location Discovery: System Language Discovery
      PID:2548
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2788
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1860
- - C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
      "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

Filesize
1KB

MD5
d171c561e20fc9714f85da3c4331d0b6

SHA1
8f7e6cd4bda627a0a3d1a0e687c8b998db3b9438

SHA256
3c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac

SHA512
b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
40b7f298d30296864906d4e175ff9f43

SHA1
349b60915d0ce78aacc57231ae1e0df151e20087

SHA256
2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4

SHA512
ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

Download Submit
C:\Users\Admin\AppData\Roaming\779389082

Filesize
56KB

MD5
9004a085c4f744f4b0da676dcea1d70e

SHA1
f7119472a14b4d8292c07dd97ee1ae50713a7900

SHA256
7e62775833adf9177f3b95b60a8ae73b7942ad3b701752478af89516dcb2f237

SHA512
d5a8d02b944a1d1c4698ed9b50c8e67370468ee99105f933acd0e46244fef3b151e783516d49ea3d32e28f7a10d1a64498c1ff36892bd73af1c5b9979d973c04

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF1BF.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1888-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-3038-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-17641-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-3974-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-4646-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-4645-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2676-17696-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2676-17698-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2676-17697-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download