makop

General

Target

2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta
Size

90KB
Sample

241213-g4ycja1je1
MD5

c7dbe50a0be47a0c5592f8ec23e89126
SHA1

822e523504367b59aa71c4613e8ea2b4f75ca135
SHA256

3f70b5fdede89711449f75f19ee147da0ff23d030c8509964e87448a759d66af
SHA512

ba6c57a6ff020318e9b284e48bf40089a644b202e62ddc7badc1ee1563bc07a62674aa90a94c2f5bfdfe24477336a4de71a0b3fa449e81046a49d0ce3f142f64
SSDEEP

1536:JxqjQ+P04wsmJCWBYxYUbyCD183dAalnudHyFj6cBSfdYO1:sr85CIYx/PD18endsOcBSfaO1

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) Do you really want to restore your files? Write to email: [email protected] Your personal ID is indicated in the names of the files and in the end of this message, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. YOUR ID: 29589DF0

Emails

[email protected]

Extracted

Path

C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\+README-WARNING+.txt

Ransom Note

YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) Do you really want to restore your files? Write to email: [email protected] Your personal ID is indicated in the names of the files and in the end of this message, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. YOUR ID: 774D0185

Emails

[email protected]

Targets

- Target
  
  2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta
- Size
  
  90KB
- MD5
  
  c7dbe50a0be47a0c5592f8ec23e89126
- SHA1
  
  822e523504367b59aa71c4613e8ea2b4f75ca135
- SHA256
  
  3f70b5fdede89711449f75f19ee147da0ff23d030c8509964e87448a759d66af
- SHA512
  
  ba6c57a6ff020318e9b284e48bf40089a644b202e62ddc7badc1ee1563bc07a62674aa90a94c2f5bfdfe24477336a4de71a0b3fa449e81046a49d0ce3f142f64
- SSDEEP
  
  1536:JxqjQ+P04wsmJCWBYxYUbyCD183dAalnudHyFj6cBSfdYO1:sr85CIYx/PD18endsOcBSfaO1
Score

10^/10

makop neshta defense_evasion discovery execution impact persistence ransomware spyware stealer
- Detect Neshta payload
- MAKOP ransomware payload
- Makop
  Ransomware family discovered by @VK_Intel in early 2020.
  ransomware makop
- Makop family
  makop
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (8282) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2