Overview

overview

10

Static

static

10

2024-10-16...op.exe

windows7-x64

9

2024-10-16...op.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe

  • Size

    42KB

  • MD5

    2e727ff87d475ae3609cb6222b8dd2fc

  • SHA1

    b751273e0a3eaa59babf79c554dc5ca8203682d3

  • SHA256

    62f796350dae2c66d9505c47f29569410d520d1cf17e33ef2be5d0a2358fb094

  • SHA512

    49fbdc668cd70d98333bddf33073c0640d97f029d413787db4b81443185e3bfe32af82c5ac91604fcb788ac7c7e37c16be6599ba4b5272d63a530a337db955fe

  • SSDEEP

    768:AO1oR/v5VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzD5Hu85jWas3P5EzJWRB8:AnXS1FKnDtkuImr8as3qJWRB8

Score
9/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8285) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe" n2692
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2132
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2648
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:1532
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2112
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\2024-10-16_2e727ff87d475ae3609cb6222b8dd2fc_makop.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1668
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2720
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2572
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2792
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:3004
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:2756

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Privilege Escalation

        Defense Evasion

        Direct Volume Access

        1
        T1006

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        Remote System Discovery

        1
        T1018

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
          Filesize

          919B

          MD5

          04c7aea59a3ae8e3b7d983f6d9a7d316

          SHA1

          fa0cea315b8d4017103f65f5408fdf63131b2677

          SHA256

          5f48e814027d6b60e015d878bffa8d4f2141304df00e9b2215152d28dc68cd84

          SHA512

          f9964d07e41fc869e3ebee9c1cc3e642d74978b55858c9a808b55170eb3531120e0bff9f8583c19477ae13fb70dc09f07bb2067b5c545ac73b35c49e87b36281

          Download Submit