Overview

overview

10

Static

static

10

2025-03-24...op.exe

windows7-x64

10

2025-03-24...op.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop

  • Size

    33KB

  • Sample

    250324-jds18swqv5

  • MD5

    9becbba391cd86ae4780bc0aa431d9c8

  • SHA1

    a45e6ebd801289a2c4c40dcd6ee70b7ebd3b042f

  • SHA256

    948448af2f182b956f9501b445804ac26ae07e4fa84f88b4a98c53019017a208

  • SHA512

    401453c5b0462b49d06352215aed3cede5c2e8b03d9661c581e6526275e22cdc9ae827b4dae96c6ae9a1f9e821b70f0ad86fba2072a1a4075c921362789136e6

  • SSDEEP

    768:omOrfU5F/6xkelDL1rT4s1u9Kw8SgF7lRa53CqSf9HRUXimFGV+PcoD5Pyuzc7+e:qrfU5Fuke1L1Y0rlSgJlRW3CqSVRUfFZ

Score
10/10
makopcredential_accessdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: modeturbo@aol.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

modeturbo@aol.com

Targets

    • Target

      2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop

    • Size

      33KB

    • MD5

      9becbba391cd86ae4780bc0aa431d9c8

    • SHA1

      a45e6ebd801289a2c4c40dcd6ee70b7ebd3b042f

    • SHA256

      948448af2f182b956f9501b445804ac26ae07e4fa84f88b4a98c53019017a208

    • SHA512

      401453c5b0462b49d06352215aed3cede5c2e8b03d9661c581e6526275e22cdc9ae827b4dae96c6ae9a1f9e821b70f0ad86fba2072a1a4075c921362789136e6

    • SSDEEP

      768:omOrfU5F/6xkelDL1rT4s1u9Kw8SgF7lRa53CqSf9HRUXimFGV+PcoD5Pyuzc7+e:qrfU5Fuke1L1Y0rlSgJlRW3CqSVRUfFZ

    Score
    10/10
    makopcredential_accessdiscoveryransomwarespywarestealerdefense_evasionevasionexecutionimpact

    • Makop

      Ransomware family discovered by @VK_Intel in early 2020.

      ransomwaremakop

    • Makop family

      makop

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (10146) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4
T1490

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.