Overview

overview

10

Static

static

10

2025-03-23...op.exe

windows7-x64

10

2025-03-23...op.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe

  • Size

    37KB

  • MD5

    92438f8b4aa3e89d07c1fa1c144a0dbe

  • SHA1

    589cd711cf440dfc042d56fb00417fa286293c58

  • SHA256

    88c07f8f469a332d328f78f8549c0cb7d1bb9810a0b52324d60e07b18ccb90d2

  • SHA512

    4520235f84a56a990be512f9881f95b6577acf3701ece8a0f7ddce05e12808087bd01ddfdb21df1d0582818a67a6de9c0ce9b6a22dba8a6bde529a7bf11baa15

  • SSDEEP

    768:i9CTW2JJNMX9J61TTNtiGX5DaXJfIaIiYvI0ihi/QM3DyImiErFf0/0u:nWIMX9J617pDl3fiyvmiEr40u

Score
10/10
makopcredential_accessdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "CARLOS" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Makop family
    makop
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (13446) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n2960
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3540
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:5116
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3628
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4700
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:4364
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3652
    • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n2960
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4808
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n2960
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2648
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3624
    • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n2960
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2996
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:276
    • C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-23_92438f8b4aa3e89d07c1fa1c144a0dbe_makop.exe" n2960
      2⤵
      • System Location Discovery: System Language Discovery
      PID:968
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1904
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2568
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3604
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1756

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Privilege Escalation

    Defense Evasion

    Direct Volume Access

    1
    T1006

    Indicator Removal

    3
    T1070

    File Deletion

    3
    T1070.004

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    4
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini
      Filesize

      356B

      MD5

      585b13f7adb7c5431cecab47db309a61

      SHA1

      98436bbca6673f359dcd37f03347ddb73803cded

      SHA256

      c390e70ef7d2fe2b62644cde6b9c19575d069e2662e31ad1895a2007348eb03f

      SHA512

      a67aa5d168ae4374e75a0c7b7aee9c1bb12f357a215e6596e0e1ca70c47cd14fcc6f00bbbac08da7834c75dfb350fd98d6bd2f35ab47724271aa92346094e951

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini
      Filesize

      356B

      MD5

      06268438aaeb5bb055d27f7f03782c63

      SHA1

      f4170d09fc9c9d3a5fb4c23ee77a63d114b35569

      SHA256

      2d67deb38e31cad2e6c3fe026c517df49477996bbca9011f6224e37270d7ba61

      SHA512

      c75a8a9b1d0a5781a762ab6a4fa39df7477b1e5483b987558d84d8e3fa0f8fc87ad80b20e2ed8b6c47f7fd91af6dd2aa19db149fcdfbca856e8ae36344b1ac0f

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini
      Filesize

      580B

      MD5

      504140ed9b4f1c620b7e1bdc2b49d763

      SHA1

      794190c4bccd239020740b7fc2f71f63ff1a7570

      SHA256

      14c15a18ff0f23fef473089914630b6bafcdc283b5d89141b1e103bf9e4fb0ea

      SHA512

      76415f61b0cf6d4a7383602da8901a2ca28074947c25ebf3d8e691ad75372b59fb0400e079e3d31f11e5d374efa2ecc04a63f5f54188d8eccf40089ba73926e7

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini
      Filesize

      804B

      MD5

      460ee90390f51c7dff213ad31ce974cb

      SHA1

      08ba02c5c9b0db91c437a54ef8245bc45d449267

      SHA256

      0ac8464afb3c372830bdb096c0c29a536fe2d0a798ac102725bfb3d459de6035

      SHA512

      da4c4256d2bdd22636568e64517c03045324cff619daa3c7f5711e36453dcde58bf82d355648cb58cca814d95e2fa3453169084c1da474ba442fc496fba157c9

      Download Submit

    • C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini
      Filesize

      1KB

      MD5

      673fa63c30a2da300c834c59920c648e

      SHA1

      231098adf214ab83bc863fd971a0816ff901e1d6

      SHA256

      f6f769e11f7330e6eb9066f9505ba25e2c09df5505f3f77d2a2f74a3143a291b

      SHA512

      c8bad9ff63704e1fec9dd86bb68c23e50a020062a5edfce2b672f36fd2d6de0860f76a76da94ff1adbf342fc4e5ee9e4894b905c96420d39aeb52ca9c133678b

      Download Submit

    • C:\Users\Admin\Desktop\readme-warning.txt
      Filesize

      1KB

      MD5

      a070b8e37f3a29de5c5bf7ac37641991

      SHA1

      bcc2f5475096250d4de73e8fce8d90bf8d6899ad

      SHA256

      e1712e942e5f08b5206d610cef1dc3892219fefecac8cba574df177f6972188f

      SHA512

      96afafa11f5c8eac46b5cbdcf2542847ec4e587defad72b8fefa59a92d991fe21c9527ccdedc96e28946be6ed75f9bac14d25b69ace6fba96ce347a5c9ff50c3

      Download Submit