Overview

overview

10

Static

static

10

2024-12-13...ta.exe

windows7-x64

10

2024-12-13...ta.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta.exe

  • Size

    90KB

  • MD5

    c7dbe50a0be47a0c5592f8ec23e89126

  • SHA1

    822e523504367b59aa71c4613e8ea2b4f75ca135

  • SHA256

    3f70b5fdede89711449f75f19ee147da0ff23d030c8509964e87448a759d66af

  • SHA512

    ba6c57a6ff020318e9b284e48bf40089a644b202e62ddc7badc1ee1563bc07a62674aa90a94c2f5bfdfe24477336a4de71a0b3fa449e81046a49d0ce3f142f64

  • SSDEEP

    1536:JxqjQ+P04wsmJCWBYxYUbyCD183dAalnudHyFj6cBSfdYO1:sr85CIYx/PD18endsOcBSfaO1

Score
10/10
makopneshtadefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) Do you really want to restore your files? Write to email: [email protected] Your personal ID is indicated in the names of the files and in the end of this message, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. YOUR ID: 29589DF0

Signatures

  • Detect Neshta payload 3 IoCs
  • MAKOP ransomware payload 1 IoCs
  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Makop family
    makop
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8282) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta.exe"
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2140
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1724
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1864
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:776
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
        3⤵
          PID:10724
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2292
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1952
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1072
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:2160

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Privilege Escalation

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Defense Evasion

          Direct Volume Access

          1
          T1006

          Indicator Removal

          3
          T1070

          File Deletion

          3
          T1070.004

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Defacement

          1
          T1491

          Inhibit System Recovery

          3
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
            Filesize

            547KB

            MD5

            cf6c595d3e5e9667667af096762fd9c4

            SHA1

            9bb44da8d7f6457099cb56e4f7d1026963dce7ce

            SHA256

            593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

            SHA512

            ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

            Download Submit

          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
            Filesize

            1KB

            MD5

            7322f3ca7de40bdd4e74d2bd466c6f90

            SHA1

            04a996156e10f44f87407732e60566ace0963f7d

            SHA256

            ed598f332122d2daf63414318109015824b6fd3d8f35422d9cf1ed48d2516bfb

            SHA512

            b527a716b42321bc43660c98e82966d11a2b3c7b10eb13f794d3b87d900ee6cfefaa1f8ac909037ae51200baf2aa8f8beb07bb21264d3619a0d13e09861260a9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
            Filesize

            244B

            MD5

            282a39cf9188c44fa8880b5e9e1cf95b

            SHA1

            f7e888c7e62752cc57f8ee81a8ca42688795fd6e

            SHA256

            118a1a121a29546fcee52f3166d6a6bff27cd3a14ba9563a88adfbc5e3faf149

            SHA512

            5a550cbffae64affc61c0f9ae930b36ba867c14f005af35bb5be5204bf8eeed07376b5f15c237e473a99602e3b8c51124b886c26b8895890b4ac99d1a9c0d64c

            Download Submit

          • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
            Filesize

            252KB

            MD5

            9e2b9928c89a9d0da1d3e8f4bd96afa7

            SHA1

            ec66cda99f44b62470c6930e5afda061579cde35

            SHA256

            8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

            SHA512

            2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

            Download Submit

          • \Users\Admin\AppData\Local\Temp\3582-490\2024-12-13_c7dbe50a0be47a0c5592f8ec23e89126_makop_neshta.exe
            Filesize

            49KB

            MD5

            0f464fe6fb33396c435b797d16d4073c

            SHA1

            67dceb30cca1dfdd136f439fb8c3813035549c8b

            SHA256

            245d77ec0901975b12ac866614ffb4259e1d01d8284a6e9d1424e91c10e608fa

            SHA512

            59826f5113848dc46f3228c3a17777840bb845783a1dfa7931ad710e7a72a930b7e14bd5c1ee6a0dd9d6c219ba4fe1427d0f7e45fb1d68aedd967a0b58f2e0f0

            Download Submit

          • memory/2488-459-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2488-478-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download