Overview

overview

10

Static

static

10

2024-10-07...op.exe

windows7-x64

10

2024-10-07...op.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-07_048b493c1e9795a8d28a511d88b86f9e_makop.exe

  • Size

    49KB

  • MD5

    048b493c1e9795a8d28a511d88b86f9e

  • SHA1

    d4ab7061b3de8a4ca9875e343ed04f128f1d6bff

  • SHA256

    4aace7fd7ba4c0eb24454f9bbf161499363ff34fc5c2eb81b982a25cfc0fdd27

  • SHA512

    d340f31d9dc148cc6127643c43b95360372f073cbc3b469307df54977c403ac13b42ad95b1035299a51cb296eef711d4ebd278a4348d394aac5ad52b65afb99a

  • SSDEEP

    768:uaQRffTB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADI3w9L86s7D7dG:uaK318HxZATvnsblYOIR6s7DM

Score
10/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
::: Greetings ::: DO NOT TRY TO CONTACT MIDDLEMAN OR ANY INTERMEDIARI THEY DONT HAVE THE ABBILITY TO RETURN YOUR FILES AND MOST LIKELY YOU WILL GET SCAMMED OR THEY WILL CHARGE THEIR FEE AND OUR FEE SO THINK THIS AS DOUBLE PRICE! ONLY US HAVE THE ABBILITY TO GET YOUR FILES BACK Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us in Bitcoin or any other cryptocurrency of our choice. .3. Q: What about guarantees? A: This is just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailboxes: [email protected] In case not answer in 24 hours: [email protected] Our telegram: https://t.me/decsupport24 .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
URLs

https://t.me/decsupport24

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8352) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-07_048b493c1e9795a8d28a511d88b86f9e_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-07_048b493c1e9795a8d28a511d88b86f9e_makop.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2944
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:3028
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1396
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
        PID:2412
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2576
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1816
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:2336

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
            Filesize

            2KB

            MD5

            472f82964f7517a0ef8d6b9be98e716c

            SHA1

            37ac02bd1337b35fe4822862d8e289de97e61b97

            SHA256

            0dcf7e36e0afa341bd8f158cda9a7d29c0bdaa6631a2f20e93aae8e9cadc01fd

            SHA512

            ad9d13ab1616a0711e217c86591d3a425f8352455ff124c14c749d6679752e42eeeaedda637f4d877c1685fc3db0ce2c1a3206d96b3a5071b52b288502ba3df4

            Download Submit