Overview

overview

10

Static

static

3

_______ __..._).exe

windows7-x64

10

_______ __..._).exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    63s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    _______ ____ __(___ ________ _________).exe

  • Size

    103KB

  • MD5

    72df7fd0854935ba0b5e07f723589392

  • SHA1

    d628cb84d232f83dcd291e43ff079fb481290a7d

  • SHA256

    2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183

  • SHA512

    12dfc847064842207c3b87119145fb50ebd647f9eb6ef997ad47c1f5e451f2f2033635169aed28a8f6288f718fbce56d8a67c2178dd26dc016de52bed2520e67

  • SSDEEP

    3072:vomnzVincQDKgcp3bsOW+NMY7sDti0dP0L0nLn:vtZVsyNMYytiFL4j

Score
10/10
makopdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "mammon" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8264) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe
    "C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe
      "C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe"
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe
        "C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe" n1884
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe
          "C:\Users\Admin\AppData\Local\Temp\_______ ____ __(___ ________ _________).exe" n1884
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2660
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2676
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2232
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2284
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 488
      2⤵
      • Program crash
      PID:2852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2904
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1512
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:3024

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme-warning.txt
        Filesize

        1KB

        MD5

        0f44a19896202f3a9f8dd0747e54c5eb

        SHA1

        03f490800892428e0791deeccbe5fa56b0b97226

        SHA256

        994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef

        SHA512

        f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\311897641
        Filesize

        57KB

        MD5

        22bcb89336d9bb23b7d043e832c6db25

        SHA1

        20c808d956528cda0c780aee937092dc8151b3ed

        SHA256

        b8c09432f5d84b39eade26cc54e589042b318c19014fd9723e04b055eccf4dd8

        SHA512

        5c123e5aa6c4dcee781cf89e3cc1d611d3e05dee6cc88530381f3b144d76f8debe4f2c76ce80ef9bfcee6f85861318355827d2644e9ac5402a4e46a5d044538c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
        Filesize

        1KB

        MD5

        0ede3855649d4bc5a5ad7680b191f7dc

        SHA1

        0462206346b6aab6561f869651fc973b1ac84b9c

        SHA256

        85a1b66821c666499176c27c12dd759bc42f9dc0615996fa9402a02222b38e7b

        SHA512

        345215bd967612e392849ca117591acff4ff35f7191d207ca92b46a9bc490d9e03e08a928900d2df160f6b748b71a804c7aa47ef8e24e1a3d70c2beee82b5f00

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk
        Filesize

        1KB

        MD5

        0497bfbf9a91c83ce6b9e1eeec900ec5

        SHA1

        a7c7e96379dcaf5cf469defe09b1ffae7170d382

        SHA256

        c5faa5689c832a5ad0e572931c4ef20db3a93f6de20f1d4fec909fbb4adfcd0c

        SHA512

        68759ba0cefb037d2777dbda46a034ba7e96a26ee3e0c32577249a500b13a2ece8525e9b736f58aa8f87398eba470f561c3fd461ea118588eade542bf28086aa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
        Filesize

        1KB

        MD5

        fc43a9bd805b96a01a09b434181cc514

        SHA1

        276fea591e924655bfee308daaf889911993a32d

        SHA256

        75cad8ffb9dd5646c5640937ef27aa5cb7c700e905671b304522cf2695d753e1

        SHA512

        7feed021cb58c27106bba442d4002ca54744a67c7544683063f24b8a839b702e0876d3a7e04e6b127b3cecebd65f53e5425a2a82d3aac110756a8a4ecaf14985

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk
        Filesize

        1KB

        MD5

        e8f5aaedbca826dcba99eeda23a4c43f

        SHA1

        9f0c9991ff192367f23bceb7c90d026fd5648a0d

        SHA256

        1a93b3730c889f3bc449edd1927272edd2e10f36f9305bda8f6fd52ea8a76399

        SHA512

        4bc39cb7b3c92a7a115a839e9c2df7b949e9572fbe7b3851c24773c663d8f4ed4263c010d7d71d9c827c79d713bacf56d7b88b0875baad3404027c394ad47394

        Download Submit

      • \Users\Admin\AppData\Local\Temp\nsz8364.tmp\System.dll
        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

        Download Submit

      • memory/1884-112-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-41-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-20-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-7467-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-19-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-17-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-17516-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1884-17532-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2660-5955-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2660-7898-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2660-7901-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

        Download