25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e

General

Target

config.exe
Size

2.1MB
MD5

cf351819c69c94fbdaec24cb8c30990b
SHA1

4911d5384ca3720c48a0c8ba47b1edba33dfa0ff
SHA256

25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e
SHA512

c6ed66e7a0afa76ff2c583b91e90ed8a193af8c25ba5e81e29be652bbbdfaf1fa62047826066f8ebc3677873e6a75237103ec4dc61544c3e5c11eff2b401c5b9

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

config.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExportTest.png => C:\Users\Admin\Pictures\ExportTest.png.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\ExportWait.raw => C:\Users\Admin\Pictures\ExportWait.raw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\UninstallSelect.tif => C:\Users\Admin\Pictures\UninstallSelect.tif.xyz	config.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 13 IoCs

Processes:

config.exe

description	ioc	process
File created	C:\Users\Admin\Saved Games\desktop.ini	config.exe
File created	C:\Users\Admin\Desktop\desktop.ini	config.exe
File created	C:\Users\Admin\Downloads\desktop.ini	config.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	config.exe
File created	C:\Users\Admin\Favorites\desktop.ini	config.exe
File created	C:\Users\Admin\Links\desktop.ini	config.exe
File created	C:\Users\Admin\Music\desktop.ini	config.exe
File created	C:\Users\Admin\Contacts\desktop.ini	config.exe
File created	C:\Users\Admin\Documents\desktop.ini	config.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	config.exe
File created	C:\Users\Admin\Pictures\desktop.ini	config.exe
File created	C:\Users\Admin\Searches\desktop.ini	config.exe
File created	C:\Users\Admin\Videos\desktop.ini	config.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cipher.exe

description ioc process

File opened (read-only) \??\D: cipher.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1768 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1692 NOTEPAD.EXE

description	ioc	process
File opened (read-only)	\??\D:	cipher.exe

pid	process
1768	vssadmin.exe

pid	process
1692	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
1872	powershell.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
2024	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
852	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	516	wmic.exe
Token: SeSecurityPrivilege	516	wmic.exe
Token: SeTakeOwnershipPrivilege	516	wmic.exe
Token: SeLoadDriverPrivilege	516	wmic.exe
Token: SeSystemProfilePrivilege	516	wmic.exe
Token: SeSystemtimePrivilege	516	wmic.exe
Token: SeProfSingleProcessPrivilege	516	wmic.exe
Token: SeIncBasePriorityPrivilege	516	wmic.exe
Token: SeCreatePagefilePrivilege	516	wmic.exe
Token: SeBackupPrivilege	516	wmic.exe
Token: SeRestorePrivilege	516	wmic.exe
Token: SeShutdownPrivilege	516	wmic.exe
Token: SeDebugPrivilege	516	wmic.exe
Token: SeSystemEnvironmentPrivilege	516	wmic.exe
Token: SeRemoteShutdownPrivilege	516	wmic.exe
Token: SeUndockPrivilege	516	wmic.exe
Token: SeManageVolumePrivilege	516	wmic.exe
Token: 33	516	wmic.exe
Token: 34	516	wmic.exe
Token: 35	516	wmic.exe
Token: SeIncreaseQuotaPrivilege	516	wmic.exe
Token: SeSecurityPrivilege	516	wmic.exe
Token: SeTakeOwnershipPrivilege	516	wmic.exe
Token: SeLoadDriverPrivilege	516	wmic.exe
Token: SeSystemProfilePrivilege	516	wmic.exe
Token: SeSystemtimePrivilege	516	wmic.exe
Token: SeProfSingleProcessPrivilege	516	wmic.exe
Token: SeIncBasePriorityPrivilege	516	wmic.exe
Token: SeCreatePagefilePrivilege	516	wmic.exe
Token: SeBackupPrivilege	516	wmic.exe
Token: SeRestorePrivilege	516	wmic.exe
Token: SeShutdownPrivilege	516	wmic.exe
Token: SeDebugPrivilege	516	wmic.exe
Token: SeSystemEnvironmentPrivilege	516	wmic.exe
Token: SeRemoteShutdownPrivilege	516	wmic.exe
Token: SeUndockPrivilege	516	wmic.exe
Token: SeManageVolumePrivilege	516	wmic.exe
Token: 33	516	wmic.exe
Token: 34	516	wmic.exe
Token: 35	516	wmic.exe
Token: SeIncreaseQuotaPrivilege	1320	wmic.exe
Token: SeSecurityPrivilege	1320	wmic.exe
Token: SeTakeOwnershipPrivilege	1320	wmic.exe
Token: SeLoadDriverPrivilege	1320	wmic.exe
Token: SeSystemProfilePrivilege	1320	wmic.exe
Token: SeSystemtimePrivilege	1320	wmic.exe
Token: SeProfSingleProcessPrivilege	1320	wmic.exe
Token: SeIncBasePriorityPrivilege	1320	wmic.exe
Token: SeCreatePagefilePrivilege	1320	wmic.exe
Token: SeBackupPrivilege	1320	wmic.exe
Token: SeRestorePrivilege	1320	wmic.exe
Token: SeShutdownPrivilege	1320	wmic.exe
Token: SeDebugPrivilege	1320	wmic.exe
Token: SeSystemEnvironmentPrivilege	1320	wmic.exe
Token: SeRemoteShutdownPrivilege	1320	wmic.exe
Token: SeUndockPrivilege	1320	wmic.exe
Token: SeManageVolumePrivilege	1320	wmic.exe
Token: 33	1320	wmic.exe
Token: 34	1320	wmic.exe
Token: 35	1320	wmic.exe
Token: SeIncreaseQuotaPrivilege	1320	wmic.exe
Token: SeSecurityPrivilege	1320	wmic.exe
Token: SeTakeOwnershipPrivilege	1320	wmic.exe
Token: SeLoadDriverPrivilege	1320	wmic.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

config.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 288 wrote to memory of 516	288	config.exe	wmic.exe
PID 288 wrote to memory of 516	288	config.exe	wmic.exe
PID 288 wrote to memory of 516	288	config.exe	wmic.exe
PID 288 wrote to memory of 1320	288	config.exe	wmic.exe
PID 288 wrote to memory of 1320	288	config.exe	wmic.exe
PID 288 wrote to memory of 1320	288	config.exe	wmic.exe
PID 288 wrote to memory of 1688	288	config.exe	powershell.exe
PID 288 wrote to memory of 1688	288	config.exe	powershell.exe
PID 288 wrote to memory of 1688	288	config.exe	powershell.exe
PID 1688 wrote to memory of 1872	1688	powershell.exe	powershell.exe
PID 1688 wrote to memory of 1872	1688	powershell.exe	powershell.exe
PID 1688 wrote to memory of 1872	1688	powershell.exe	powershell.exe
PID 288 wrote to memory of 1660	288	config.exe	powershell.exe
PID 288 wrote to memory of 1660	288	config.exe	powershell.exe
PID 288 wrote to memory of 1660	288	config.exe	powershell.exe
PID 1872 wrote to memory of 1768	1872	powershell.exe	vssadmin.exe
PID 1872 wrote to memory of 1768	1872	powershell.exe	vssadmin.exe
PID 1872 wrote to memory of 1768	1872	powershell.exe	vssadmin.exe
PID 1660 wrote to memory of 2024	1660	powershell.exe	powershell.exe
PID 1660 wrote to memory of 2024	1660	powershell.exe	powershell.exe
PID 1660 wrote to memory of 2024	1660	powershell.exe	powershell.exe
PID 288 wrote to memory of 1904	288	config.exe	wmic.exe
PID 288 wrote to memory of 1904	288	config.exe	wmic.exe
PID 288 wrote to memory of 1904	288	config.exe	wmic.exe
PID 288 wrote to memory of 1120	288	config.exe	powershell.exe
PID 288 wrote to memory of 1120	288	config.exe	powershell.exe
PID 288 wrote to memory of 1120	288	config.exe	powershell.exe
PID 2024 wrote to memory of 1668	2024	powershell.exe	cipher.exe
PID 2024 wrote to memory of 1668	2024	powershell.exe	cipher.exe
PID 2024 wrote to memory of 1668	2024	powershell.exe	cipher.exe
PID 1120 wrote to memory of 852	1120	powershell.exe	powershell.exe
PID 1120 wrote to memory of 852	1120	powershell.exe	powershell.exe
PID 1120 wrote to memory of 852	1120	powershell.exe	powershell.exe
PID 852 wrote to memory of 1752	852	powershell.exe	cipher.exe
PID 852 wrote to memory of 1752	852	powershell.exe	cipher.exe
PID 852 wrote to memory of 1752	852	powershell.exe	cipher.exe

C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\System32\Wbem\wmic.exe
wmic MEMORYCHIP get Capacity
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\System32\Wbem\wmic.exe
wmic logicaldisk get name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process powershell -windowstyle hidden "{vssadmin delete shadows /all /quiet}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" vssadmin delete shadows /all /quiet
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process powershell -windowstyle hidden "{ cipher /w:C:\}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\cipher.exe
"C:\Windows\system32\cipher.exe" /w:C:\
4⤵
PID:1668

C:\Windows\System32\Wbem\wmic.exe
wmic logicaldisk get name
2⤵
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process powershell -windowstyle hidden "{ cipher /w:D:\}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:D:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\cipher.exe
"C:\Windows\system32\cipher.exe" /w:D:\
4⤵
- Enumerates connected drives
PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1764

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\_Readme_.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
4cabb669e4a89176aa62164c339c143a

SHA1
da8e3bdce42936a8004c9d0fd813b81fb33fd371

SHA256
1ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f

SHA512
db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
4cabb669e4a89176aa62164c339c143a

SHA1
da8e3bdce42936a8004c9d0fd813b81fb33fd371

SHA256
1ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f

SHA512
db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
4cabb669e4a89176aa62164c339c143a

SHA1
da8e3bdce42936a8004c9d0fd813b81fb33fd371

SHA256
1ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f

SHA512
db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
4cabb669e4a89176aa62164c339c143a

SHA1
da8e3bdce42936a8004c9d0fd813b81fb33fd371

SHA256
1ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f

SHA512
db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
4cabb669e4a89176aa62164c339c143a

SHA1
da8e3bdce42936a8004c9d0fd813b81fb33fd371

SHA256
1ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f

SHA512
db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274

Download Submit
C:\Users\Admin\Documents\_Readme_.txt
MD5
46fa74d5a142a03be78cfc725906d980

SHA1
3a0b6b36fd65475af0f8fdeb7d319684afaa61ff

SHA256
c55e048693ef2e3f4518133d5a52e42018b05b8e0567c22092b74e37b9a225cf

SHA512
c3895c4095715ef9df5d55d019dc970a94f55910f428da5632ac4ef522b2d689ed0ffaecdfbcf65a80221e8061bd64b92af6cbb7ca310fdd48eeba2c3a60b10b

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/516-53-0x0000000000000000-mapping.dmp

Download
memory/852-105-0x0000000002482000-0x0000000002484000-memory.dmp

Filesize
8KB

Download
memory/852-107-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/852-103-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

Filesize
11.4MB

Download
memory/852-104-0x0000000002480000-0x0000000002482000-memory.dmp

Filesize
8KB

Download
memory/852-100-0x0000000000000000-mapping.dmp

Download
memory/852-106-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1120-89-0x0000000000000000-mapping.dmp

Download
memory/1120-98-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1120-97-0x0000000002792000-0x0000000002794000-memory.dmp

Filesize
8KB

Download
memory/1120-96-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/1120-99-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1120-94-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1120-93-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

Filesize
11.4MB

Download
memory/1320-54-0x0000000000000000-mapping.dmp

Download
memory/1660-69-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

Filesize
11.4MB

Download
memory/1660-87-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/1660-80-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/1660-81-0x0000000002352000-0x0000000002354000-memory.dmp

Filesize
8KB

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1660-85-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/1668-91-0x0000000000000000-mapping.dmp

Download
memory/1688-56-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1688-57-0x000007FEF2DB0000-0x000007FEF390D000-memory.dmp

Filesize
11.4MB

Download
memory/1688-58-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download
memory/1688-59-0x00000000024F2000-0x00000000024F4000-memory.dmp

Filesize
8KB

Download
memory/1688-60-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1688-55-0x0000000000000000-mapping.dmp

Download
memory/1688-74-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/1752-108-0x0000000000000000-mapping.dmp

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download
memory/1872-61-0x0000000000000000-mapping.dmp

Download
memory/1872-86-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1872-82-0x00000000027D2000-0x00000000027D4000-memory.dmp

Filesize
8KB

Download
memory/1872-68-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

Filesize
11.4MB

Download
memory/1872-76-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/1872-84-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1904-72-0x0000000000000000-mapping.dmp

Download
memory/2024-78-0x0000000002980000-0x0000000002982000-memory.dmp

Filesize
8KB

Download
memory/2024-79-0x0000000002982000-0x0000000002984000-memory.dmp

Filesize
8KB

Download
memory/2024-83-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/2024-88-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2024-71-0x0000000000000000-mapping.dmp

Download
memory/2024-77-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

Filesize
11.4MB

Download
memory/2024-95-0x000000000298B000-0x00000000029AA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads