Analysis
-
max time kernel
62s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 06:29
Behavioral task
behavioral1
Sample
2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe
-
Size
49KB
-
MD5
0f464fe6fb33396c435b797d16d4073c
-
SHA1
67dceb30cca1dfdd136f439fb8c3813035549c8b
-
SHA256
245d77ec0901975b12ac866614ffb4259e1d01d8284a6e9d1424e91c10e608fa
-
SHA512
59826f5113848dc46f3228c3a17777840bb845783a1dfa7931ad710e7a72a930b7e14bd5c1ee6a0dd9d6c219ba4fe1427d0f7e45fb1d68aedd967a0b58f2e0f0
-
SSDEEP
768:7AxPvDRD1ayCt3LSUS6QCA3KlRDsKeqRO8785F7HyFj6cBCE2fje0YADWQsMO30/:7CD183dAalnudHyFj6cBSfdYOOBYxYU
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (2803) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2980 wbadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 iplogger.com 4 iplogger.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Inuvik 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Madrid 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\+README-WARNING+.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\en-US\Minesweeper.exe.mui 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Swift_Current 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Managua 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\FindWatch.ico 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\+README-WARNING+.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\ResolveFind.aif 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\+README-WARNING+.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\management-agent.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\release 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\MoveRestore.potm 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\+README-WARNING+.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cayenne 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\+README-WARNING+.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\+README-WARNING+.txt 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1892 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1968 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2240 vssvc.exe Token: SeRestorePrivilege 2240 vssvc.exe Token: SeAuditPrivilege 2240 vssvc.exe Token: SeBackupPrivilege 2860 wbengine.exe Token: SeRestorePrivilege 2860 wbengine.exe Token: SeSecurityPrivilege 2860 wbengine.exe Token: SeIncreaseQuotaPrivilege 2768 WMIC.exe Token: SeSecurityPrivilege 2768 WMIC.exe Token: SeTakeOwnershipPrivilege 2768 WMIC.exe Token: SeLoadDriverPrivilege 2768 WMIC.exe Token: SeSystemProfilePrivilege 2768 WMIC.exe Token: SeSystemtimePrivilege 2768 WMIC.exe Token: SeProfSingleProcessPrivilege 2768 WMIC.exe Token: SeIncBasePriorityPrivilege 2768 WMIC.exe Token: SeCreatePagefilePrivilege 2768 WMIC.exe Token: SeBackupPrivilege 2768 WMIC.exe Token: SeRestorePrivilege 2768 WMIC.exe Token: SeShutdownPrivilege 2768 WMIC.exe Token: SeDebugPrivilege 2768 WMIC.exe Token: SeSystemEnvironmentPrivilege 2768 WMIC.exe Token: SeRemoteShutdownPrivilege 2768 WMIC.exe Token: SeUndockPrivilege 2768 WMIC.exe Token: SeManageVolumePrivilege 2768 WMIC.exe Token: 33 2768 WMIC.exe Token: 34 2768 WMIC.exe Token: 35 2768 WMIC.exe Token: SeIncreaseQuotaPrivilege 2768 WMIC.exe Token: SeSecurityPrivilege 2768 WMIC.exe Token: SeTakeOwnershipPrivilege 2768 WMIC.exe Token: SeLoadDriverPrivilege 2768 WMIC.exe Token: SeSystemProfilePrivilege 2768 WMIC.exe Token: SeSystemtimePrivilege 2768 WMIC.exe Token: SeProfSingleProcessPrivilege 2768 WMIC.exe Token: SeIncBasePriorityPrivilege 2768 WMIC.exe Token: SeCreatePagefilePrivilege 2768 WMIC.exe Token: SeBackupPrivilege 2768 WMIC.exe Token: SeRestorePrivilege 2768 WMIC.exe Token: SeShutdownPrivilege 2768 WMIC.exe Token: SeDebugPrivilege 2768 WMIC.exe Token: SeSystemEnvironmentPrivilege 2768 WMIC.exe Token: SeRemoteShutdownPrivilege 2768 WMIC.exe Token: SeUndockPrivilege 2768 WMIC.exe Token: SeManageVolumePrivilege 2768 WMIC.exe Token: 33 2768 WMIC.exe Token: 34 2768 WMIC.exe Token: 35 2768 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2284 1968 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe 30 PID 1968 wrote to memory of 2284 1968 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe 30 PID 1968 wrote to memory of 2284 1968 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe 30 PID 1968 wrote to memory of 2284 1968 2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe 30 PID 2284 wrote to memory of 1892 2284 cmd.exe 32 PID 2284 wrote to memory of 1892 2284 cmd.exe 32 PID 2284 wrote to memory of 1892 2284 cmd.exe 32 PID 2284 wrote to memory of 2980 2284 cmd.exe 35 PID 2284 wrote to memory of 2980 2284 cmd.exe 35 PID 2284 wrote to memory of 2980 2284 cmd.exe 35 PID 2284 wrote to memory of 2768 2284 cmd.exe 39 PID 2284 wrote to memory of 2768 2284 cmd.exe 39 PID 2284 wrote to memory of 2768 2284 cmd.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-13_0f464fe6fb33396c435b797d16d4073c_makop.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1892
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2980
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt2⤵PID:2732
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2780
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2744
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5431cf2d5a128f54475277bdfca567935
SHA1d8ec6f1a896e197a75c1230651f57df2f88dec23
SHA25665df02bf9226ba79e147b3cbcfab5b03837eec497b7b251ceab0babd4ea909c5
SHA512b77345f1865424bc4996ec2baf97e12680d163381f920936c2a035b4158258e4161697fe1565c85db55f794cbdb01f9c0ae188dc71be584bbe5e46309e8a237d