meow | 9f6a6b42048b12c0252a242af4fbe3a0627095d947b66029ba5f12a9c0a71050

General

Target

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
Size

225KB
MD5

a03ccf5c66c1cc04263d94931b0764d8
SHA1

9ad5475555dd14f2109998eabcfe412d28ff6449
SHA256

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40
SHA512

4fc507e9628c9640a3e87ed8aa5a39bfd07faefee1246cf3821b1a6314224cc7e24cbcd0a10a57fd990e114ceeada6ec2b069620ea604b8cdd0afac25d5b12e1
SSDEEP

3072:HrQCEI+T7gupEypsbBQeUHhBmmJAlUvuEY5KF5IXjs+Xbo:8CEI+THErQeKmmyl95dwGbo

Score

10^/10

meow ransomware spyware stealer

Malware Config

Signatures

Meow
A ransomware that wipes unsecured databases first seen in Mid 2020.
ransomware meow
Renames multiple (7142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 31 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Drops file in Program Files directory 64 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Advertising.DATA	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Microsoft Office\root\Office15\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\DebugRestore.mp3	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pl_get.svg	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_history_18.svg	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\cstm_brand_preview.png	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\autofill_labeling_email.ort.DATA	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\ui-strings.js	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\readme.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

pid	process
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3804	vssvc.exe
Token: SeRestorePrivilege	3804	vssvc.exe
Token: SeAuditPrivilege	3804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4964	WMIC.exe
Token: SeSecurityPrivilege	4964	WMIC.exe
Token: SeTakeOwnershipPrivilege	4964	WMIC.exe
Token: SeLoadDriverPrivilege	4964	WMIC.exe
Token: SeSystemProfilePrivilege	4964	WMIC.exe
Token: SeSystemtimePrivilege	4964	WMIC.exe
Token: SeProfSingleProcessPrivilege	4964	WMIC.exe
Token: SeIncBasePriorityPrivilege	4964	WMIC.exe
Token: SeCreatePagefilePrivilege	4964	WMIC.exe
Token: SeBackupPrivilege	4964	WMIC.exe
Token: SeRestorePrivilege	4964	WMIC.exe
Token: SeShutdownPrivilege	4964	WMIC.exe
Token: SeDebugPrivilege	4964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4964	WMIC.exe
Token: SeRemoteShutdownPrivilege	4964	WMIC.exe
Token: SeUndockPrivilege	4964	WMIC.exe
Token: SeManageVolumePrivilege	4964	WMIC.exe
Token: 33	4964	WMIC.exe
Token: 34	4964	WMIC.exe
Token: 35	4964	WMIC.exe
Token: 36	4964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4964	WMIC.exe
Token: SeSecurityPrivilege	4964	WMIC.exe
Token: SeTakeOwnershipPrivilege	4964	WMIC.exe
Token: SeLoadDriverPrivilege	4964	WMIC.exe
Token: SeSystemProfilePrivilege	4964	WMIC.exe
Token: SeSystemtimePrivilege	4964	WMIC.exe
Token: SeProfSingleProcessPrivilege	4964	WMIC.exe
Token: SeIncBasePriorityPrivilege	4964	WMIC.exe
Token: SeCreatePagefilePrivilege	4964	WMIC.exe
Token: SeBackupPrivilege	4964	WMIC.exe
Token: SeRestorePrivilege	4964	WMIC.exe
Token: SeShutdownPrivilege	4964	WMIC.exe
Token: SeDebugPrivilege	4964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4964	WMIC.exe
Token: SeRemoteShutdownPrivilege	4964	WMIC.exe
Token: SeUndockPrivilege	4964	WMIC.exe
Token: SeManageVolumePrivilege	4964	WMIC.exe
Token: 33	4964	WMIC.exe
Token: 34	4964	WMIC.exe
Token: 35	4964	WMIC.exe
Token: 36	4964	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.execmd.exe

description	pid	process	target process
PID 3220 wrote to memory of 3480	3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 3220 wrote to memory of 3480	3220	f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe	cmd.exe
PID 3480 wrote to memory of 4964	3480	cmd.exe	WMIC.exe
PID 3480 wrote to memory of 4964	3480	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe
"C:\Users\Admin\AppData\Local\Temp\f0fe71d1fe03e611fc151c6c1e94f00d7d17860b13fecce45084c62c1d619d40.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1F1B88C-B024-4340-B1CA-B5B18E2D680C}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1F1B88C-B024-4340-B1CA-B5B18E2D680C}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\readme.txt
Filesize
16KB

MD5
bf84cfb4d4d3c3dadfe34cd39acc323a

SHA1
9b8bc323d8d8f2dee8ab028e28d2621c1fc565b9

SHA256
d7296a4a7d313d58f655a7358fe14c1b7c9964236d741847f2db9cbd78d87263

SHA512
31c264b351f7d0930e8ea79b7239c9d0dcd6c51faf7afc3086f361fff04c966b1c428501542e8db8743c921751586d0016b2d6ac005a9a6673e81394e3326311

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads