makop | c5c28f06fc605a7b68c52713f035f7546a15f0ca19761f96903a55021d62c733

General

Target

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
Size

89KB
MD5

d95283d331eded844f64dde393e81d2f
SHA1

ad81f47a20a9681828e14dbb5ec99323a16a7cdc
SHA256

c5c28f06fc605a7b68c52713f035f7546a15f0ca19761f96903a55021d62c733
SHA512

ce3de62852a6d8595e77db647cfcc5f5ec03317c1f6f44c4b468b1419f37edff8b4f201ba2f17ab223ae2a19c5fcfe73cfb3c105fa0c9fe371ff3abe050235cc
SSDEEP

1536:JxqjQ+P04wsmJCEsmYRFixay318HxZATvnsblYO8Mk:sr85CEsm0e/318RZEvsbyOs

Score

10^/10

makop neshta defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] Or you can contact us via TOX: ADA6E26332F26451E45768179C771CA87A7F0F4E234DA8D882888F505494925DCF274A3EA555 You don't know about TOX? Go to https://tox.chat .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

[email protected]

URLs

https://tox.chat

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/2380-459-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2380-461-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

MAKOP ransomware payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	family_makop

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (8314) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1992 wbadmin.exe
Executes dropped EXE 1 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

pid process

1624 2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

pid	process
1992	wbadmin.exe

pid	process
1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Loads dropped DLL 3 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

pid	process
2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 iplogger.com
5 iplogger.com

flow	ioc
4	iplogger.com
5	iplogger.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\23C8.tmp.bmp"	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CAGCAT10.MML	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152882.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297725.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Oriel.eftx	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\+README-WARNING+.txt	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME05.CSS	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0136865.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7B.GIF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\zipfs.jar	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\+README-WARNING+.txt	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01680_.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05869_.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292272.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSN.ICO	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\+README-WARNING+.txt	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico.[FAAA5749].[[email protected]].SRC	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\slideShow.css	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.DAT	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\+README-WARNING+.txt	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPDMCCore.dll.mui	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\+README-WARNING+.txt	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exeNOTEPAD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2620 vssadmin.exe

pid	process
2620	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

pid process

1624 2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

pid	process
1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

vssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3020	vssvc.exe
Token: SeRestorePrivilege	3020	vssvc.exe
Token: SeAuditPrivilege	3020	vssvc.exe
Token: SeBackupPrivilege	1060	wbengine.exe
Token: SeRestorePrivilege	1060	wbengine.exe
Token: SeSecurityPrivilege	1060	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1288	WMIC.exe
Token: SeSecurityPrivilege	1288	WMIC.exe
Token: SeTakeOwnershipPrivilege	1288	WMIC.exe
Token: SeLoadDriverPrivilege	1288	WMIC.exe
Token: SeSystemProfilePrivilege	1288	WMIC.exe
Token: SeSystemtimePrivilege	1288	WMIC.exe
Token: SeProfSingleProcessPrivilege	1288	WMIC.exe
Token: SeIncBasePriorityPrivilege	1288	WMIC.exe
Token: SeCreatePagefilePrivilege	1288	WMIC.exe
Token: SeBackupPrivilege	1288	WMIC.exe
Token: SeRestorePrivilege	1288	WMIC.exe
Token: SeShutdownPrivilege	1288	WMIC.exe
Token: SeDebugPrivilege	1288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1288	WMIC.exe
Token: SeRemoteShutdownPrivilege	1288	WMIC.exe
Token: SeUndockPrivilege	1288	WMIC.exe
Token: SeManageVolumePrivilege	1288	WMIC.exe
Token: 33	1288	WMIC.exe
Token: 34	1288	WMIC.exe
Token: 35	1288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1288	WMIC.exe
Token: SeSecurityPrivilege	1288	WMIC.exe
Token: SeTakeOwnershipPrivilege	1288	WMIC.exe
Token: SeLoadDriverPrivilege	1288	WMIC.exe
Token: SeSystemProfilePrivilege	1288	WMIC.exe
Token: SeSystemtimePrivilege	1288	WMIC.exe
Token: SeProfSingleProcessPrivilege	1288	WMIC.exe
Token: SeIncBasePriorityPrivilege	1288	WMIC.exe
Token: SeCreatePagefilePrivilege	1288	WMIC.exe
Token: SeBackupPrivilege	1288	WMIC.exe
Token: SeRestorePrivilege	1288	WMIC.exe
Token: SeShutdownPrivilege	1288	WMIC.exe
Token: SeDebugPrivilege	1288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1288	WMIC.exe
Token: SeRemoteShutdownPrivilege	1288	WMIC.exe
Token: SeUndockPrivilege	1288	WMIC.exe
Token: SeManageVolumePrivilege	1288	WMIC.exe
Token: 33	1288	WMIC.exe
Token: 34	1288	WMIC.exe
Token: 35	1288	WMIC.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 1624	2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
PID 2380 wrote to memory of 1624	2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
PID 2380 wrote to memory of 1624	2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
PID 2380 wrote to memory of 1624	2380	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
PID 1624 wrote to memory of 2588	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	cmd.exe
PID 1624 wrote to memory of 2588	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	cmd.exe
PID 1624 wrote to memory of 2588	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	cmd.exe
PID 1624 wrote to memory of 2588	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	cmd.exe
PID 2588 wrote to memory of 2620	2588	cmd.exe	vssadmin.exe
PID 2588 wrote to memory of 2620	2588	cmd.exe	vssadmin.exe
PID 2588 wrote to memory of 2620	2588	cmd.exe	vssadmin.exe
PID 2588 wrote to memory of 1992	2588	cmd.exe	wbadmin.exe
PID 2588 wrote to memory of 1992	2588	cmd.exe	wbadmin.exe
PID 2588 wrote to memory of 1992	2588	cmd.exe	wbadmin.exe
PID 2588 wrote to memory of 1288	2588	cmd.exe	WMIC.exe
PID 2588 wrote to memory of 1288	2588	cmd.exe	WMIC.exe
PID 2588 wrote to memory of 1288	2588	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 2644	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	NOTEPAD.EXE
PID 1624 wrote to memory of 2644	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	NOTEPAD.EXE
PID 1624 wrote to memory of 2644	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	NOTEPAD.EXE
PID 1624 wrote to memory of 2644	1624	2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe	NOTEPAD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2620
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1288
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2764

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Windows Management Instrumentation

1

T1047

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Filesize
1KB

MD5
1a80c54ec6c91ad26568dbb776af7b44

SHA1
f0931e5bd93a6b36393494f978f864c135a7d0af

SHA256
836a753bf4c2261ec1e1ad3c761c9fcded1342de63ad70a1eac2826ddb8e1254

SHA512
d09f605733927fc2bff169757b38af0cfb724b30ff40316a915f0c26a1e6d453913a35440040cafd974288cc37a31426413a0e814744f7bfad9dcb7088381cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
244B

MD5
3f39441e118c098c882ddc01126aab39

SHA1
88794334fae7e8d60a4e21ae5ae995b7209fe60b

SHA256
8c37418218402473d9d8f55a133debd4477619805a3afd6420212f89cd9574e9

SHA512
2ba9151c00f540f7d9a84d134227a9b8369e5baa222a6ea04990b5ff84031f38ceac03cb5e62782b5d47f5f41834ea9c3482a874fb53cc68f59ccd45db752d9a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2024-10-05_d95283d331eded844f64dde393e81d2f_makop_neshta.exe

Filesize
49KB

MD5
a60e2c0dec417d2dabe40c003f39c4f2

SHA1
4e7dc90c06429690c189097dac853d52812a2344

SHA256
52d89ac9f3b1c74c978618f81b9323ffa8d4b8ace29b12f82bade43fca90719e

SHA512
bdd2aec4b807c7c3205d23d918a1c557edc18b31506ae20d1a06d5059eb3c08b53775d7dd72eb05b8d29c2782b50c567c5c0b782461612dda06c9aa1e82b7f14

Download Submit
memory/2380-459-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2380-461-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads