b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8

Analysis

max time kernel
65s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/02/2025, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
Size

49KB
MD5

5c0eb83fc20cd39fd9b66310d91c9f8f
SHA1

8d0a53c54ea13b3bfe5b7e64b443f957b4b1b41a
SHA256

b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8
SHA512

6a6607e5e58a9aa678aa3fcc871a40418e6dc00f43f7041d46bfb87c8e64061713c0141ce2a72b8cbd0188c72cdf430b36807145ed27c4c8ac5d231f6dfc25e6
SSDEEP

768:iAxPvTRD1ayCt3LSUS6QCA3KlRDsKeqRO8785F7HyFj6cBCE2fje0YADPHvcVSa5:iqD183dAalnudHyFj6cBSfdYO3cVSag

Score

9^/10

defense_evasion discovery execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (2777) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2224	wbadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	iplogger.com
4	iplogger.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.policy	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\handler.reg	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiItalic.ttf	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\offset.ax	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\Microsoft Games\FreeCell\es-ES\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2764	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2092	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2860	vssvc.exe
Token: SeRestorePrivilege	2860	vssvc.exe
Token: SeAuditPrivilege	2860	vssvc.exe
Token: SeBackupPrivilege	428	wbengine.exe
Token: SeRestorePrivilege	428	wbengine.exe
Token: SeSecurityPrivilege	428	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1104	WMIC.exe
Token: SeSecurityPrivilege	1104	WMIC.exe
Token: SeTakeOwnershipPrivilege	1104	WMIC.exe
Token: SeLoadDriverPrivilege	1104	WMIC.exe
Token: SeSystemProfilePrivilege	1104	WMIC.exe
Token: SeSystemtimePrivilege	1104	WMIC.exe
Token: SeProfSingleProcessPrivilege	1104	WMIC.exe
Token: SeIncBasePriorityPrivilege	1104	WMIC.exe
Token: SeCreatePagefilePrivilege	1104	WMIC.exe
Token: SeBackupPrivilege	1104	WMIC.exe
Token: SeRestorePrivilege	1104	WMIC.exe
Token: SeShutdownPrivilege	1104	WMIC.exe
Token: SeDebugPrivilege	1104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1104	WMIC.exe
Token: SeRemoteShutdownPrivilege	1104	WMIC.exe
Token: SeUndockPrivilege	1104	WMIC.exe
Token: SeManageVolumePrivilege	1104	WMIC.exe
Token: 33	1104	WMIC.exe
Token: 34	1104	WMIC.exe
Token: 35	1104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1104	WMIC.exe
Token: SeSecurityPrivilege	1104	WMIC.exe
Token: SeTakeOwnershipPrivilege	1104	WMIC.exe
Token: SeLoadDriverPrivilege	1104	WMIC.exe
Token: SeSystemProfilePrivilege	1104	WMIC.exe
Token: SeSystemtimePrivilege	1104	WMIC.exe
Token: SeProfSingleProcessPrivilege	1104	WMIC.exe
Token: SeIncBasePriorityPrivilege	1104	WMIC.exe
Token: SeCreatePagefilePrivilege	1104	WMIC.exe
Token: SeBackupPrivilege	1104	WMIC.exe
Token: SeRestorePrivilege	1104	WMIC.exe
Token: SeShutdownPrivilege	1104	WMIC.exe
Token: SeDebugPrivilege	1104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1104	WMIC.exe
Token: SeRemoteShutdownPrivilege	1104	WMIC.exe
Token: SeUndockPrivilege	1104	WMIC.exe
Token: SeManageVolumePrivilege	1104	WMIC.exe
Token: 33	1104	WMIC.exe
Token: 34	1104	WMIC.exe
Token: 35	1104	WMIC.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2896	2092	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 2092 wrote to memory of 2896	2092	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 2092 wrote to memory of 2896	2092	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 2092 wrote to memory of 2896	2092	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 2896 wrote to memory of 2764	2896	cmd.exe	32
PID 2896 wrote to memory of 2764	2896	cmd.exe	32
PID 2896 wrote to memory of 2764	2896	cmd.exe	32
PID 2896 wrote to memory of 2224	2896	cmd.exe	35
PID 2896 wrote to memory of 2224	2896	cmd.exe	35
PID 2896 wrote to memory of 2224	2896	cmd.exe	35
PID 2896 wrote to memory of 1104	2896	cmd.exe	39
PID 2896 wrote to memory of 1104	2896	cmd.exe	39
PID 2896 wrote to memory of 1104	2896	cmd.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2764
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2224
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
  2⤵
  PID:2340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3028

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Filesize
911B

MD5
abb71b9a5c4d0f824c7be7b0bdd0b026

SHA1
97faeaab7c0415b1962f2076b3398fd38901a9f9

SHA256
84503976c6a8bb2266c72a0e155dde24f6bd2c40a55e8d27b4e2eaa938d88acf

SHA512
7219f34c609362463ac1b402ddd6e7501b6624d525306eeaa50edc53664f7eec12dc9b7469a620da10464362d06a0867f8624f80f46ddde1ef8b54ba9200788b

Download Submit