analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

makop_nowin.exe

Full analysis: https://app.any.run/tasks/82be0557-a49c-4ddf-865a-e35cca2cfdf4
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: April 01, 2023, 15:54:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BD935610CB878E275D35F292B93D8459

SHA1:

2CFC4A68ECE6C9465BA44F96B677CC00536908AD

SHA256:

3757824893405FD34313749B689879B40B02DB3D8A682F9F88E23F63908881F7

SSDEEP:

768:x4K+eQXL36kOK1R01WseZ0y/QyYvhITluDA1afkKIDo:xueQbgK1e1S235HA1a20

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 920)
    • Renames files like ransomware

      • makop_nowin.exe (PID: 2712)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • makop_nowin.exe (PID: 2712)
    • Reads the Internet Settings

      • WMIC.exe (PID: 3472)
    • Uses WMIC.EXE to obtain shadow copy information

      • cmd.exe (PID: 920)
  • INFO

    • Reads the computer name

      • makop_nowin.exe (PID: 2712)
    • Reads the machine GUID from the registry

      • makop_nowin.exe (PID: 2712)
    • The process checks LSA protection

      • makop_nowin.exe (PID: 2712)
      • WMIC.exe (PID: 3472)
      • vssadmin.exe (PID: 3176)
      • wbadmin.exe (PID: 1660)
    • Reads Windows Product ID

      • makop_nowin.exe (PID: 2712)
    • Checks supported languages

      • makop_nowin.exe (PID: 2712)
    • Create files in a temporary directory

      • makop_nowin.exe (PID: 2712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x5400
UninitializedDataSize: -
InitializedDataSize: 81920
CodeSize: 25088
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2020:07:06 11:23:57+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 06-Jul-2020 11:23:57

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 06-Jul-2020 11:23:57
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000060A4
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.34071
.rdata
0x00008000
0x000009D6
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.11618
.data
0x00009000
0x00011A8C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.ndata
0x0001B000
0x00001809
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.94555

Imports

ADVAPI32.dll
KERNEL32.dll
MPR.dll
SHELL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start makop_nowin.exe no specs cmd.exe no specs vssadmin.exe no specs wbadmin.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Users\admin\AppData\Local\Temp\makop_nowin.exe" C:\Users\admin\AppData\Local\Temp\makop_nowin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\makop_nowin.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
920"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exemakop_nowin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2147749908
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3176vssadmin delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
1660wbadmin delete catalog -quietC:\Windows\System32\wbadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
4294967294
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3472wmic shadowcopy deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
376
Read events
376
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1 142
Text files
188
Unknown types
28

Dropped files

PID
Process
Filename
Type
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\cuzlwjlm.dct.[DE3DF956].[[email protected]].makopbinary
MD5:13A54F9E71022B7E490A5CA3D2059DB2
SHA256:09E1BDC1E4A785993763C70E0C6A94DBB60DB6870A7B944A2C6A28F3D2CBB264
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\3y0d3hjr.gip.[DE3DF956].[[email protected]].makopbinary
MD5:0F1A45D10DE8425B97A06D628C607045
SHA256:F288A616904586010304F80A25025C5CDB346ADD90EE524BC70D07E580DF0652
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\40rkdppl.mgo.[DE3DF956].[[email protected]].makopbinary
MD5:BF9C6C6921DFBD73FE140013518C2E42
SHA256:AE8732B0F095E66B9255AE6092AF5FBAB1BF96402E00BD710777605F1EB83BD2
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\4iuioli4.bcm.[DE3DF956].[[email protected]].makopbinary
MD5:BE8E65434A79830BEAD97A4E7044EC8E
SHA256:5150C414A0B5B3DABBC30BA38A2D5D28CD5313820D9118A38CA2B9EF5EAA3BA3
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\cuzlwjlm.dctbinary
MD5:13A54F9E71022B7E490A5CA3D2059DB2
SHA256:09E1BDC1E4A785993763C70E0C6A94DBB60DB6870A7B944A2C6A28F3D2CBB264
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\nh5q1a0c.duz.[DE3DF956].[[email protected]].makopbinary
MD5:38E4B2DB966B24DE23DDDB8AA050CB13
SHA256:3A8F7DD30A7366A5D29B185DEB162876C89A782C9709BF2792D00389C3802379
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\ovysfmpj.3sk.[DE3DF956].[[email protected]].makopbinary
MD5:7A9946831D7D8AC206279D7210192C09
SHA256:7C40EA0A1ACFC27E87917D0C7DC52606459596C831E41727255B956EE05AC89A
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\bkwnywxq.wbbbinary
MD5:ECB5A008D80BB56C6081BE16E59268F2
SHA256:A3E52526F7B841A22A53C17ABA58DE50FD43C3758DAC0C5818AEDFF39496F735
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\40rkdppl.mgobinary
MD5:BF9C6C6921DFBD73FE140013518C2E42
SHA256:AE8732B0F095E66B9255AE6092AF5FBAB1BF96402E00BD710777605F1EB83BD2
2712makop_nowin.exeC:\Users\admin\AppData\Local\Temp\nh5q1a0c.duzbinary
MD5:38E4B2DB966B24DE23DDDB8AA050CB13
SHA256:3A8F7DD30A7366A5D29B185DEB162876C89A782C9709BF2792D00389C3802379
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info