Overview

overview

10

Static

static

10

2025-01-27...op.exe

windows7-x64

10

2025-01-27...op.exe

windows10-2004-x64

10

Resubmissions

27-01-2025 18:57

250127-xlytcaslej 10

27-01-2025 18:31

250127-w6e2as1pbn 10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe

  • Size

    41KB

  • MD5

    2ef05873f585d356665f0ea0fd8678ff

  • SHA1

    0be8c14efaf9752d48f8bf34ca5d75a40284967b

  • SHA256

    cb4957ca31c15745b25aaf474f66582daf99a9060a54f31aa5557317ea010684

  • SHA512

    785bbb3090af3f82aa0ff501f761f66e3904ffd6707da39667ce87e0478aa5adcd8c8060e0472e460322a55a037850418beeccd0145b1ec9a04b8bc8cd14c908

  • SSDEEP

    768:5xyl5HeOrgHICm1+Gu5NjY2eX7exwr2QB/9QSNTsryu+BFrForD8tMEWV+:585H7wLm14NtSmQeriBc8twV+

Score
10/10
makopcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "CARLOS" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Makop family
    makop
  • Renames multiple (8517) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-01-27_2ef05873f585d356665f0ea0fd8678ff_makop.exe" n3020
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2196
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:1568
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini
      Filesize

      356B

      MD5

      7542ce4bb6ac16bf2caf114c20faa78f

      SHA1

      e448ca7e0d0fe056c39ba540b1637fc7ac44050f

      SHA256

      56cdd91c664b4a9320fc4c540b697e8a255184dee6280ef7ea82ee6d1609bf0c

      SHA512

      f10c3c4d905581b746c4edabed9c486a0093c46d0a086d7b3843624a672b274b793a4c8c7ee759a635e89c8a1369c5cf64aea99b3dcbd674302996c224f8d5db

      Download Submit

    • C:\Users\Admin\Desktop\readme-warning.txt
      Filesize

      1KB

      MD5

      5b847e2c729d9b78c10c5a05a7f00e4d

      SHA1

      753c40fe7f8f18159eb9702660773502e7eb564a

      SHA256

      1647ba80119c23da45a2b01d70c8564a062122b9273f94f130379a4bead68435

      SHA512

      e450eff2150d7cec896a46391d51477c57f8cc22b41a66587d56b6d8b3642ea61cc52f85455521a2d8ced28ef284f20caca129eb01da73cf9bb29d902a9f3de0

      Download Submit