Analysis

  • max time kernel
    62s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 06:29

General

  • Target

    2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe

  • Size

    49KB

  • MD5

    0f464fe6fb33396c435b797d16d4073c

  • SHA1

    67dceb30cca1dfdd136f439fb8c3813035549c8b

  • SHA256

    245d77ec0901975b12ac866614ffb4259e1d01d8284a6e9d1424e91c10e608fa

  • SHA512

    59826f5113848dc46f3228c3a17777840bb845783a1dfa7931ad710e7a72a930b7e14bd5c1ee6a0dd9d6c219ba4fe1427d0f7e45fb1d68aedd967a0b58f2e0f0

  • SSDEEP

    768:7AxPvDRD1ayCt3LSUS6QCA3KlRDsKeqRO8785F7HyFj6cBCE2fje0YADWQsMO30/:7CD183dAalnudHyFj6cBSfdYOOBYxYU

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Ransom Note
YOUR FILES ARE ENCRYPTED Your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets,sql. etc.) Do you really want to restore your files? Write to email: [email protected] Your personal ID is indicated in the names of the files and in the end of this message, before writing a message by email - indicate the name of the ID indicated in the files IN THE SUBJECT OF THE EMAIL Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. YOUR ID: 0C677A6E

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (2803) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1892
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2980
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
        PID:2732
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2240
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2780
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:2744
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:1740

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

            Filesize

            1KB

            MD5

            431cf2d5a128f54475277bdfca567935

            SHA1

            d8ec6f1a896e197a75c1230651f57df2f88dec23

            SHA256

            65df02bf9226ba79e147b3cbcfab5b03837eec497b7b251ceab0babd4ea909c5

            SHA512

            b77345f1865424bc4996ec2baf97e12680d163381f920936c2a035b4158258e4161697fe1565c85db55f794cbdb01f9c0ae188dc71be584bbe5e46309e8a237d