b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8

Analysis

max time kernel
92s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/02/2025, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
Size

49KB
MD5

5c0eb83fc20cd39fd9b66310d91c9f8f
SHA1

8d0a53c54ea13b3bfe5b7e64b443f957b4b1b41a
SHA256

b9d15b25c5b1e16e0264cc2f0569fd3be50b5ebdc2a240eb3d831b46f71629a8
SHA512

6a6607e5e58a9aa678aa3fcc871a40418e6dc00f43f7041d46bfb87c8e64061713c0141ce2a72b8cbd0188c72cdf430b36807145ed27c4c8ac5d231f6dfc25e6
SSDEEP

768:iAxPvTRD1ayCt3LSUS6QCA3KlRDsKeqRO8785F7HyFj6cBCE2fje0YADPHvcVSa5:iqD183dAalnudHyFj6cBSfdYO3cVSag

Score

9^/10

defense_evasion discovery execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (2793) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2788	wbadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RegisterConnect.vdw	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Genko_2.jtp	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\Microsoft Games\FreeCell\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.[8EA81148].[[email protected]].scp	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Managua	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Miquelon	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\+README-WARNING+.txt	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\Mahjong.exe.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Anchorage	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2912	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
804	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2984	vssvc.exe
Token: SeRestorePrivilege	2984	vssvc.exe
Token: SeAuditPrivilege	2984	vssvc.exe
Token: SeBackupPrivilege	2552	wbengine.exe
Token: SeRestorePrivilege	2552	wbengine.exe
Token: SeSecurityPrivilege	2552	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemProfilePrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeProfSingleProcessPrivilege	2316	WMIC.exe
Token: SeIncBasePriorityPrivilege	2316	WMIC.exe
Token: SeCreatePagefilePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeDebugPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeRemoteShutdownPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: 33	2316	WMIC.exe
Token: 34	2316	WMIC.exe
Token: 35	2316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2316	WMIC.exe
Token: SeSecurityPrivilege	2316	WMIC.exe
Token: SeTakeOwnershipPrivilege	2316	WMIC.exe
Token: SeLoadDriverPrivilege	2316	WMIC.exe
Token: SeSystemProfilePrivilege	2316	WMIC.exe
Token: SeSystemtimePrivilege	2316	WMIC.exe
Token: SeProfSingleProcessPrivilege	2316	WMIC.exe
Token: SeIncBasePriorityPrivilege	2316	WMIC.exe
Token: SeCreatePagefilePrivilege	2316	WMIC.exe
Token: SeBackupPrivilege	2316	WMIC.exe
Token: SeRestorePrivilege	2316	WMIC.exe
Token: SeShutdownPrivilege	2316	WMIC.exe
Token: SeDebugPrivilege	2316	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2316	WMIC.exe
Token: SeRemoteShutdownPrivilege	2316	WMIC.exe
Token: SeUndockPrivilege	2316	WMIC.exe
Token: SeManageVolumePrivilege	2316	WMIC.exe
Token: 33	2316	WMIC.exe
Token: 34	2316	WMIC.exe
Token: 35	2316	WMIC.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2396	804	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 804 wrote to memory of 2396	804	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 804 wrote to memory of 2396	804	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 804 wrote to memory of 2396	804	2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe	30
PID 2396 wrote to memory of 2912	2396	cmd.exe	32
PID 2396 wrote to memory of 2912	2396	cmd.exe	32
PID 2396 wrote to memory of 2912	2396	cmd.exe	32
PID 2396 wrote to memory of 2788	2396	cmd.exe	35
PID 2396 wrote to memory of 2788	2396	cmd.exe	35
PID 2396 wrote to memory of 2788	2396	cmd.exe	35
PID 2396 wrote to memory of 2316	2396	cmd.exe	39
PID 2396 wrote to memory of 2316	2396	cmd.exe	39
PID 2396 wrote to memory of 2316	2396	cmd.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-18_5c0eb83fc20cd39fd9b66310d91c9f8f_makop.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2912
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2788
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2744

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt

Filesize
911B

MD5
936a0e66a5ca9da192e197c372dacaeb

SHA1
6a1125710d40915d7beb8aca11bab150b405885a

SHA256
87bf8fb30411583e61de48b65a9017cf323d30b97f0a1edb4d8450794dc2de5f

SHA512
d775104663bfd0c971bd04a007d69023c90f3053151744d690ea7c058122a00c07f80ed3f89ec97b6b43d700b58270546352116c252868d94a9b90f705e8ab2b

Download Submit