Analysis

  • max time kernel
    123s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 09:28

General

  • Target

    2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe

  • Size

    103KB

  • MD5

    72df7fd0854935ba0b5e07f723589392

  • SHA1

    d628cb84d232f83dcd291e43ff079fb481290a7d

  • SHA256

    2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183

  • SHA512

    12dfc847064842207c3b87119145fb50ebd647f9eb6ef997ad47c1f5e451f2f2033635169aed28a8f6288f718fbce56d8a67c2178dd26dc016de52bed2520e67

  • SSDEEP

    3072:vomnzVincQDKgcp3bsOW+NMY7sDti0dP0L0nLn:vtZVsyNMYytiFL4j

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "mammon" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] or [email protected] or [email protected] or [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (8728) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
    "C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
      "C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe"
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
        "C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe" n2776
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe
          "C:\Users\Admin\AppData\Local\Temp\2aae8c4c79d6332be6f899936c662326250d402f13b1ef85f930d61d4179e183.exe" n2776
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2388
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2152
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2244
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2748
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2720
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2272
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2924
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\readme-warning.txt

        Filesize

        1KB

        MD5

        0f44a19896202f3a9f8dd0747e54c5eb

        SHA1

        03f490800892428e0791deeccbe5fa56b0b97226

        SHA256

        994aaeff999041819c380948d93a44265440d63d5b6e7a9cc9ef82d646fcd1ef

        SHA512

        f5323173a37308cdaf5c8480c4a4a3536211a41d2c52eb87a0c1a187f0c590e062507cdeca3720ae67a4b3579a0aa65da3da1f57014e101336f275b921e2b5f6

      • C:\Users\Admin\AppData\Roaming\311897641

        Filesize

        58KB

        MD5

        afe0b643b74b4714e2d705f34339d911

        SHA1

        1943f80961e65cd3ac8fb906352a72bd02655916

        SHA256

        28ff4090b0ff905783550e43a2d65b826509e435da0f34e856200e962142b586

        SHA512

        858009dafbe2c9a3f8e79fe6363cb9db95d37047ae9661d31be8f5da44102de8afbfebb34438881ff65eae083c3b8651ae12e9e7afa483a51700b4224960c5c7

      • C:\Users\Admin\AppData\Roaming\311897641

        Filesize

        57KB

        MD5

        22bcb89336d9bb23b7d043e832c6db25

        SHA1

        20c808d956528cda0c780aee937092dc8151b3ed

        SHA256

        b8c09432f5d84b39eade26cc54e589042b318c19014fd9723e04b055eccf4dd8

        SHA512

        5c123e5aa6c4dcee781cf89e3cc1d611d3e05dee6cc88530381f3b144d76f8debe4f2c76ce80ef9bfcee6f85861318355827d2644e9ac5402a4e46a5d044538c

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

        Filesize

        1KB

        MD5

        64bcbaefb194c4983ffcf4ef1a3bd10d

        SHA1

        9eed6a366d8a49726f02468b7ad0054e12d15152

        SHA256

        1800de1f8c2cbd8d1c06bd902f63211edb33b7aa7f04c04ff0a8826d265d3a3a

        SHA512

        a5e2db463f6b659a8faf4430786d83680349daa50eae8187c117749f7bdd93fddcf720a07aa0d878ceeeeb016dbca1b987f52a8ccb912937f5c4f7d741a6b279

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\dsffffffdd.lnk

        Filesize

        1KB

        MD5

        b053b395450a63243956d9c88025a2f9

        SHA1

        89cb1002187ca36f9096fcc8452ce4ca20a2797c

        SHA256

        217d3e67a19c09ff478cdcdbc812265bb3e1ad2815b0a204880d3e80fff5b189

        SHA512

        f5c23f2038e2cb11cd484fe00e9dcb57138b97a12b4182741f39567686fa4d67ce05b202b4295e35699f5f58fec7d1bd021be8acd7af96170d34a9f43da31d1e

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

        Filesize

        1KB

        MD5

        d02eb06a0cdf5b247f229cda78b253ab

        SHA1

        9e87dbf39c28a089f58e66730d638a1d260ab3cd

        SHA256

        0126a52fd4c35c41dc0036b7d8f13a34a359ccdf1f58935599d219158e277ab8

        SHA512

        50b80b64662e0b83e47d0ea3d2de3805d8334c0ce0e6e29d5d798cbdb58538ae2c2f0857f7a44a1c0b5d7ec585d03781775e4fdcb298917ba260f4bf670e80f1

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zsadsadsad\qasdadsdsd.lnk

        Filesize

        1KB

        MD5

        16f9c877f3bd0b235f9f155b5a0a7bba

        SHA1

        ed9b8764c3cbd0eb6eca8646de7252cf0fbcc1f4

        SHA256

        be99fa3ef190fee33cff36ee6eb9fc7bfa08b0a3b88b3270a65fe268b483cacb

        SHA512

        ae3bb21d4413153edccdaf44c9964397480014f98958a0cfc34992446d251dd39f87fdafe90b14801e2f7074c5036c097c4bbaac1375b1885d4377c60205df86

      • \Users\Admin\AppData\Local\Temp\nse93A9.tmp\System.dll

        Filesize

        11KB

        MD5

        0063d48afe5a0cdc02833145667b6641

        SHA1

        e7eb614805d183ecb1127c62decb1a6be1b4f7a8

        SHA256

        ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

        SHA512

        71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      • memory/2388-1642-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2388-1643-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2388-1230-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-19-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-797-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-2406-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-41-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-20-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-17-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB

      • memory/2776-18649-0x0000000000400000-0x000000000041E000-memory.dmp

        Filesize

        120KB