Overview

overview

10

Static

static

10

2025-03-23...op.exe

windows7-x64

10

2025-03-23...op.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/03/2025, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe

  • Size

    37KB

  • MD5

    92438f8b4aa3e89d07c1fa1c144a0dbe

  • SHA1

    589cd711cf440dfc042d56fb00417fa286293c58

  • SHA256

    88c07f8f469a332d328f78f8549c0cb7d1bb9810a0b52324d60e07b18ccb90d2

  • SHA512

    4520235f84a56a990be512f9881f95b6577acf3701ece8a0f7ddce05e12808087bd01ddfdb21df1d0582818a67a6de9c0ce9b6a22dba8a6bde529a7bf11baa15

  • SSDEEP

    768:i9CTW2JJNMX9J61TTNtiGX5DaXJfIaIiYvI0ihi/QM3DyImiErFf0/0u:nWIMX9J617pDl3fiyvmiEr40u

Score
10/10
makopcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "CARLOS" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Makop family
    makop
  • Renames multiple (9927) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2768
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:2808
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1004
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1896
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2408
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:628
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2712
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2320
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2572
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2236
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2352
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1280
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:264
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:560
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2228
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:604
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:592
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2448
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2724
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:936
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1508
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2056
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2296
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2092
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1100
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2840
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2520
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1232
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1604
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2316
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:872
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2872
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1756
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1700
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2148
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1956
      • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n764
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1924
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini
      Filesize

      356B

      MD5

      98b3e3e35ea80873a64a902302ee0465

      SHA1

      9149efb5815ac6e7e962762c535b6b3f98e4e06a

      SHA256

      9692e8b5ee1073c41611950f692f34c081edf6d3b2e8a98178c56cd71e778431

      SHA512

      0a9f1f53227092c4fe3eb62b373102e225744b89e8226e45f403dc987369e4712c598ae234a7b9437c5499a3c3b0ba1621c77630bdae38fd1413387c730f8942

      Download Submit

    • C:\Users\Admin\Desktop\readme-warning.txt
      Filesize

      1KB

      MD5

      a070b8e37f3a29de5c5bf7ac37641991

      SHA1

      bcc2f5475096250d4de73e8fce8d90bf8d6899ad

      SHA256

      e1712e942e5f08b5206d610cef1dc3892219fefecac8cba574df177f6972188f

      SHA512

      96afafa11f5c8eac46b5cbdcf2542847ec4e587defad72b8fefa59a92d991fe21c9527ccdedc96e28946be6ed75f9bac14d25b69ace6fba96ce347a5c9ff50c3

      Download Submit