Overview

overview

10

Static

static

10

2025-03-24...op.exe

windows7-x64

10

2025-03-24...op.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/03/2025, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe

  • Size

    33KB

  • MD5

    9becbba391cd86ae4780bc0aa431d9c8

  • SHA1

    a45e6ebd801289a2c4c40dcd6ee70b7ebd3b042f

  • SHA256

    948448af2f182b956f9501b445804ac26ae07e4fa84f88b4a98c53019017a208

  • SHA512

    401453c5b0462b49d06352215aed3cede5c2e8b03d9661c581e6526275e22cdc9ae827b4dae96c6ae9a1f9e821b70f0ad86fba2072a1a4075c921362789136e6

  • SSDEEP

    768:omOrfU5F/6xkelDL1rT4s1u9Kw8SgF7lRa53CqSf9HRUXimFGV+PcoD5Pyuzc7+e:qrfU5Fuke1L1Y0rlSgJlRW3CqSVRUfFZ

Score
10/10
makopcredential_accessdiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Makop family
    makop
  • Renames multiple (10146) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2644
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:2696
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1604
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2368
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2392
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1000
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:884
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1876
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1576
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2736
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2568
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2332
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2660
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1880
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1480
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1264
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2520
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:376
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1532
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1836
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2488
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1088
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2628
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:980
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2748
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1452
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:916
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1948
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1864
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1212
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1044
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2992
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2184
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2180
      • C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-24_9becbba391cd86ae4780bc0aa431d9c8_makop.exe" n
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1580
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini
      Filesize

      356B

      MD5

      b31839741e1f5467724ff8f17c6ce199

      SHA1

      dee3f2bf3c8122f31f707ca4d13831b86843372d

      SHA256

      c5bb687274b9e9314e307a8c4f15efc6914f04a91e952b4d524681c011b717ba

      SHA512

      e5b635a9e745d278c0fd6f9f55150be79e0fcccfaac3620dd729c0cf28582dfa16fbbc762514d514fb126b6ded6fd4498bba852c99ba649c0b6484714673090a

      Download Submit

    • C:\Users\Admin\Desktop\readme-warning.txt
      Filesize

      1KB

      MD5

      0cc5402f991172cf2c477d2865a480a5

      SHA1

      117573c89e9289ca1b46eb54abeb7898b9a4a290

      SHA256

      049dc3b5785f5e0e73d8b030c1f36dc5d6a69563dac94feb1e27bc9575210cbd

      SHA512

      0df58546a744b20d80fcbb6a02a5ad67681c8887db9a35d99e1f215d5f5517e6991e531a7704acb02977a936a109464f74dc11c47fc9927846069d0dcfc6f4f9

      Download Submit