Overview

overview

10

Static

static

10

2024-08-21...op.exe

windows7-x64

10

2024-08-21...op.exe

windows10-2004-x64

10

Resubmissions

21-08-2024 02:11

240821-cmsy9syfrn 10

21-08-2024 02:11

240821-cmgagavfmg 10

21-08-2024 02:09

240821-ck9t1averb 10

21-08-2024 01:15

240821-bmk3zsshke 10

21-08-2024 01:12

240821-bkkdnssgkf 10

Analysis

  • max time kernel
    1375s
  • max time network
    1703s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-21_d2928a874344bd310125566d09f4ffcc_makop.exe

  • Size

    42KB

  • MD5

    d2928a874344bd310125566d09f4ffcc

  • SHA1

    41070cb3d688c30ca7b95957e48eaa577e8a027d

  • SHA256

    f9dcdbe1929dd4606138f9c77b95c144acd4d711fd372f7bb075b8aa61a83b62

  • SHA512

    90a8f22346a1f08f91313f66f03cfd0da228b656f5a0dcd39db0497c300a5ad37e93a62ad78ed82aab0c2351c3e8af9f8923b9a10b06d527a0c6439c8a6b6629

  • SSDEEP

    768:cO1oR/dUVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDLNIUe61Akojk1q4:clgS1FKnDtkuImLqUe6h7

Score
10/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailboxes: [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (2408) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-21_d2928a874344bd310125566d09f4ffcc_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-21_d2928a874344bd310125566d09f4ffcc_makop.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\2024-08-21_d2928a874344bd310125566d09f4ffcc_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-21_d2928a874344bd310125566d09f4ffcc_makop.exe" n1992
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2540
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2384
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2832
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2260
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3044
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2800
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2628
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2660
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1420
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6249758,0x7fef6249768,0x7fef6249778
            2⤵
              PID:1884
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:2
              2⤵
                PID:1520
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:8
                2⤵
                  PID:1180
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:8
                  2⤵
                    PID:1920
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:1
                    2⤵
                      PID:1632
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:1
                      2⤵
                        PID:1860
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:2
                        2⤵
                          PID:3188
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2144 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:1
                          2⤵
                            PID:3824
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 --field-trial-handle=1124,i,1396973088377686043,9963102218453835387,131072 /prefetch:8
                            2⤵
                              PID:1268
                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                            1⤵
                              PID:956

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                              Filesize

                              16B

                              MD5

                              aefd77f47fb84fae5ea194496b44c67a

                              SHA1

                              dcfbb6a5b8d05662c4858664f81693bb7f803b82

                              SHA256

                              4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                              SHA512

                              b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                              Filesize

                              264KB

                              MD5

                              f50f89a0a91564d0b8a211f8921aa7de

                              SHA1

                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                              SHA256

                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                              SHA512

                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              1KB

                              MD5

                              484b3f9eb32385178934e6d9114373b0

                              SHA1

                              b840490b80febb66e2b5dd7e30e4b6e76faeef2d

                              SHA256

                              64e42ce4669ea909d764b1ee9023e20afbe23228d17d4210e01ba1a4c3be6e04

                              SHA512

                              6d5acc5d619befe7943ded53791e965ef40d43ecf7a4a0aad99b5871181cb10453ceca778d296deb0036ac682b239a41fbec110a9f483a90d3d58cdc78c1de34

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              947B

                              MD5

                              11d26057f1d4ad91dc93f55f9a7c4494

                              SHA1

                              165949f1f8256d02f9a4d135fd96ed300d3b6450

                              SHA256

                              b5fc23897183e44c2b72059723c3c784825732cb7f42b623e4c4dc9ebe807160

                              SHA512

                              2750eb977c366108e7eeab749baf32d7075df69bb2512fc0a7a97f2717e61d88f5a967034115e58a26a48dc47d47929b271b00cc0cda1ab8793f921241e9cb45

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              633B

                              MD5

                              68d89808c1686e104f468da2ef453045

                              SHA1

                              c11d5b30c0ff2fe433d2426d4632c66afe980dfa

                              SHA256

                              e4d16dbfd96591f610b96c08d3dd74a9a0c1ac88a00fae61da778a6977865d79

                              SHA512

                              836d41f5c24e19338c95ee3449ab6aea4430c8aa828c910ec98dac48769a796d6e85bc27201655238acd8758ff7b9a80497a8133dd39111607970d81ec434bf5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              5b0f55e585ef198d2413149b904483f5

                              SHA1

                              99c36a7b1e8cab29e698d4a418c71e7cdc93a7e6

                              SHA256

                              bb84f0f0128f9e1db4c098dd2c1c523a10de86129fac156eed83e400956c5faf

                              SHA512

                              b2b08fceea822bb31c5ffa5c24c4782e091d1f08715be88cfbd34bbcc108b184040c2ec22ce0cb75d6aa296beacb12f2d5a3b0dd5c96087637707637cfce0256

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              ac5a67f4ff9baaa73530f46e137d623b

                              SHA1

                              602afbfe55eb29a497075e773495d159d1729b7a

                              SHA256

                              42a2953265fbeda01221a786a2d402e55c95b4d48406b1a5600287e557a4ddfa

                              SHA512

                              9577e5540999da456d232faccf5278d6cec3cfe2976a0fe3521f1eae885745c2af79e51cbbcfdb33bfb1da8656669757c2064001d5b07b062c6e5dd87f8c2606

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
                              Filesize

                              16B

                              MD5

                              18e723571b00fb1694a3bad6c78e4054

                              SHA1

                              afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                              SHA256

                              8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                              SHA512

                              43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
                              Filesize

                              1KB

                              MD5

                              3c8c6d58f933ab37627bdb1254f32002

                              SHA1

                              a4e343ce17691b68a897032302513eeb79449d30

                              SHA256

                              40dce02f63e75e4f2af498c9083116e71e58600ddaa9e3d8f593b13684f15d74

                              SHA512

                              00c1e6a4406a8edacb2f854cdf34b7cbea198baa702b6a8e92fdd057b3ce37fa562729a3bccc8ffa7c2db1fe65e7e6d1f0dfdc98da96dd1275581cc6b36eb720

                              Download Submit

                            • \??\pipe\crashpad_2140_ZHZFCDLPCADWRUKB
                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              Download Submit