Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-ltsc_2021-x64
7Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
7Ransomware...KB.exe
windows10-ltsc_2021-x64
7Ransomware...KB.exe
windows11-21h2-x64
7Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows7-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-ltsc_2021-x64
10Ransomware...KB.exe
windows11-21h2-x64
10Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows7-x64
9Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows10-ltsc_2021-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.exe
windows7-x64
9Ransomware...KB.exe
windows10-2004-x64
9Ransomware...KB.exe
windows10-ltsc_2021-x64
9Ransomware...KB.exe
windows11-21h2-x64
9Ransomware...KB.ps1
windows11-21h2-x64
10Ransomware...KB.ps1
windows7-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.ps1
windows10-ltsc_2021-x64
10Ransomware...KB.ps1
windows11-21h2-x64
10Resubmissions
25/03/2025, 15:11
250325-skmbpsxzaw 1025/03/2025, 15:06
250325-sg1d6a1px2 1025/03/2025, 15:01
250325-sd5jpsxyct 1025/03/2025, 14:56
250325-sbdcfaxxgs 1025/03/2025, 14:50
250325-r7ve6a1nv3 1025/03/2025, 14:46
250325-r5ab7sxwhx 1025/03/2025, 14:40
250325-r2c9paxwe1 1005/02/2025, 10:25
250205-mgcefaslhw 1005/02/2025, 10:17
250205-mbs51atmbk 1005/02/2025, 09:15
250205-k785zs1pfn 10Analysis
-
max time kernel
114s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/03/2025, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral5
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral6
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral7
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral10
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral11
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win7-20250207-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral20
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win11-20250314-en
Behavioral task
behavioral22
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral25
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win11-20250313-en
Behavioral task
behavioral26
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win11-20250313-en
Behavioral task
behavioral27
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral30
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win11-20250313-en
General
-
Target
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
-
Size
114KB
-
MD5
b33e8ce6a7035bee5c5472d5b870b68a
-
SHA1
783d08fe374f287a4e0412ed8b7f5446c6e65687
-
SHA256
2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f
-
SHA512
78c36e1f8ba968d55e8b469fba9623bd20f9d7216b4f5983388c32be564484caab228935f96fd8bff82bc8bb8732f7beb9ccede50385b6b6ba7e23b5cc60679f
-
SSDEEP
3072:Rf1BDZ0kVB67Duw9AMcUTeQnbZ7pgHzL8O1oc8rEUvZfqv8dOWVIc:R9X0GGZpYzL8VcFUvZyUdb
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Makop family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1240 wbadmin.exe -
Loads dropped DLL 2 IoCs
pid Process 3056 MAKOP_27_10_2020_115KB.exe 2124 MAKOP_27_10_2020_115KB.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\"" MAKOP_27_10_2020_115KB.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: MAKOP_27_10_2020_115KB.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 iplogger.org 5 iplogger.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3056 set thread context of 2764 3056 MAKOP_27_10_2020_115KB.exe 30 PID 2124 set thread context of 2728 2124 MAKOP_27_10_2020_115KB.exe 43 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Simferopol MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03470_.WMF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm MAKOP_27_10_2020_115KB.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\readme-warning.txt MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths.[4487F1E0].[[email protected]].makop MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARDHM.POC MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPDMCCore.dll.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\SpiderSolitaire.exe.mui MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\InitializeUnprotect.TTS MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\WriteTrace.wvx MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\RSSFeeds.js MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10335_.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\ExitRestore.dxf MAKOP_27_10_2020_115KB.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png MAKOP_27_10_2020_115KB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAKOP_27_10_2020_115KB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAKOP_27_10_2020_115KB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAKOP_27_10_2020_115KB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MAKOP_27_10_2020_115KB.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2712 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2764 MAKOP_27_10_2020_115KB.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3056 MAKOP_27_10_2020_115KB.exe 2124 MAKOP_27_10_2020_115KB.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2776 vssvc.exe Token: SeRestorePrivilege 2776 vssvc.exe Token: SeAuditPrivilege 2776 vssvc.exe Token: SeBackupPrivilege 2272 wbengine.exe Token: SeRestorePrivilege 2272 wbengine.exe Token: SeSecurityPrivilege 2272 wbengine.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2764 3056 MAKOP_27_10_2020_115KB.exe 30 PID 3056 wrote to memory of 2764 3056 MAKOP_27_10_2020_115KB.exe 30 PID 3056 wrote to memory of 2764 3056 MAKOP_27_10_2020_115KB.exe 30 PID 3056 wrote to memory of 2764 3056 MAKOP_27_10_2020_115KB.exe 30 PID 3056 wrote to memory of 2764 3056 MAKOP_27_10_2020_115KB.exe 30 PID 2764 wrote to memory of 2988 2764 MAKOP_27_10_2020_115KB.exe 32 PID 2764 wrote to memory of 2988 2764 MAKOP_27_10_2020_115KB.exe 32 PID 2764 wrote to memory of 2988 2764 MAKOP_27_10_2020_115KB.exe 32 PID 2764 wrote to memory of 2988 2764 MAKOP_27_10_2020_115KB.exe 32 PID 2988 wrote to memory of 2712 2988 cmd.exe 34 PID 2988 wrote to memory of 2712 2988 cmd.exe 34 PID 2988 wrote to memory of 2712 2988 cmd.exe 34 PID 2988 wrote to memory of 1240 2988 cmd.exe 37 PID 2988 wrote to memory of 1240 2988 cmd.exe 37 PID 2988 wrote to memory of 1240 2988 cmd.exe 37 PID 2988 wrote to memory of 1912 2988 cmd.exe 41 PID 2988 wrote to memory of 1912 2988 cmd.exe 41 PID 2988 wrote to memory of 1912 2988 cmd.exe 41 PID 2124 wrote to memory of 2728 2124 MAKOP_27_10_2020_115KB.exe 43 PID 2124 wrote to memory of 2728 2124 MAKOP_27_10_2020_115KB.exe 43 PID 2124 wrote to memory of 2728 2124 MAKOP_27_10_2020_115KB.exe 43 PID 2124 wrote to memory of 2728 2124 MAKOP_27_10_2020_115KB.exe 43 PID 2124 wrote to memory of 2728 2124 MAKOP_27_10_2020_115KB.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n27643⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n27644⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2712
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1240
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2008
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1492
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d171c561e20fc9714f85da3c4331d0b6
SHA18f7e6cd4bda627a0a3d1a0e687c8b998db3b9438
SHA2563c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac
SHA512b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2
-
Filesize
56KB
MD53f6c09c3ca38adeccf84a5af88d6e41e
SHA1244fea7b90b9492486dc2eaec05970c6b17a4f72
SHA2560195487ab8d8b1942ad35bdaf56a3a263e8175481ed396abd79c8963b0b23f3a
SHA5127acc4fe60cd0ec977c71afa923fca844c300bb2f3893baf46d6e7838f489d26475a34fbca9dce6fbe65e602093fc3776eac22619e4dafb94835f2883a0e9173c
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c