Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 17:10

General

  • Target

    222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853.exe

  • Size

    224KB

  • MD5

    033acf3b0f699a39becdc71d3e2dddcc

  • SHA1

    5949c404aee552fc8ce29e3bf77bd08e54d37c59

  • SHA256

    222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853

  • SHA512

    604ba9e02ec18b8ad1005ec3d86970261925a1d2c198a975387beb62a9711012733b92e7641a5687af835cf1ddb5b6c6d732b33a12387a3a293ca08929f7fb50

  • SSDEEP

    3072:xtsD+K6k7UXP6ih6XULC9GHJkmm8GxTyPGryXdEekUuIiMi:4D+33P6Y6XGpY8G5yore3u5Mi

Malware Config

Signatures

  • Meow

    A ransomware that wipes unsecured databases first seen in Mid 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Renames multiple (7367) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853.exe
    "C:\Users\Admin\AppData\Local\Temp\222e2b91f5becea8c7c05883e4a58796a1f68628fbb0852b533fed08d8e9b853.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9142005D-2F1F-4DB8-8F0E-237525AC258B}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9142005D-2F1F-4DB8-8F0E-237525AC258B}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1412
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\readme.txt

    Filesize

    16KB

    MD5

    a55db6906df9fce8c9143ae77667b484

    SHA1

    8ae0329ad3c6de786f63a830440adc084e02adff

    SHA256

    6fa7bb1e97a6145c4f47634b092ace66bbb77085b23f95ebabf3dddbefef740a

    SHA512

    a860225d86dc78bdbbb51aa1cee1372d10047e170468fb6796c50992645ca9253399d6e6374d39ea96a1983980684d2216aff1b0c32300e2eaf91cb3a3ef5953