Overview

overview

10

Static

static

3

222e2b91f5...53.exe

windows7-x64

10

222e2b91f5...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2023 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853.exe

  • Size

    224KB

  • MD5

    033acf3b0f699a39becdc71d3e2dddcc

  • SHA1

    5949c404aee552fc8ce29e3bf77bd08e54d37c59

  • SHA256

    222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853

  • SHA512

    604ba9e02ec18b8ad1005ec3d86970261925a1d2c198a975387beb62a9711012733b92e7641a5687af835cf1ddb5b6c6d732b33a12387a3a293ca08929f7fb50

  • SSDEEP

    3072:xtsD+K6k7UXP6ih6XULC9GHJkmm8GxTyPGryXdEekUuIiMi:4D+33P6Y6XGpY8G5yore3u5Mi

Score
10/10
meowransomwarespywarestealer

Malware Config

Signatures

  • Meow

    A ransomware that wipes unsecured databases first seen in Mid 2020.

    ransomwaremeow
  • Renames multiple (8267) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853.exe
    "C:\Users\Admin\AppData\Local\Temp\222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{639FD6EE-6EBF-4335-B304-22992C24BC49}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{639FD6EE-6EBF-4335-B304-22992C24BC49}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\readme.txt
    Filesize

    16KB

    MD5

    a55db6906df9fce8c9143ae77667b484

    SHA1

    8ae0329ad3c6de786f63a830440adc084e02adff

    SHA256

    6fa7bb1e97a6145c4f47634b092ace66bbb77085b23f95ebabf3dddbefef740a

    SHA512

    a860225d86dc78bdbbb51aa1cee1372d10047e170468fb6796c50992645ca9253399d6e6374d39ea96a1983980684d2216aff1b0c32300e2eaf91cb3a3ef5953

    Download Submit