Analysis
-
max time kernel
31s -
max time network
17s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-01-2022 14:57
Static task
static1
Behavioral task
behavioral1
Sample
config.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
config.exe
Resource
win10-en-20211208
General
-
Target
config.exe
-
Size
2.1MB
-
MD5
cf351819c69c94fbdaec24cb8c30990b
-
SHA1
4911d5384ca3720c48a0c8ba47b1edba33dfa0ff
-
SHA256
25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e
-
SHA512
c6ed66e7a0afa76ff2c583b91e90ed8a193af8c25ba5e81e29be652bbbdfaf1fa62047826066f8ebc3677873e6a75237103ec4dc61544c3e5c11eff2b401c5b9
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
config.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportTest.png => C:\Users\Admin\Pictures\ExportTest.png.xyz config.exe File renamed C:\Users\Admin\Pictures\ExportWait.raw => C:\Users\Admin\Pictures\ExportWait.raw.xyz config.exe File renamed C:\Users\Admin\Pictures\UninstallSelect.tif => C:\Users\Admin\Pictures\UninstallSelect.tif.xyz config.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 13 IoCs
Processes:
config.exedescription ioc process File created C:\Users\Admin\Saved Games\desktop.ini config.exe File created C:\Users\Admin\Desktop\desktop.ini config.exe File created C:\Users\Admin\Downloads\desktop.ini config.exe File created C:\Users\Admin\Favorites\Links\desktop.ini config.exe File created C:\Users\Admin\Favorites\desktop.ini config.exe File created C:\Users\Admin\Links\desktop.ini config.exe File created C:\Users\Admin\Music\desktop.ini config.exe File created C:\Users\Admin\Contacts\desktop.ini config.exe File created C:\Users\Admin\Documents\desktop.ini config.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini config.exe File created C:\Users\Admin\Pictures\desktop.ini config.exe File created C:\Users\Admin\Searches\desktop.ini config.exe File created C:\Users\Admin\Videos\desktop.ini config.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cipher.exedescription ioc process File opened (read-only) \??\D: cipher.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1768 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1692 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1688 powershell.exe 1688 powershell.exe 1688 powershell.exe 1872 powershell.exe 1660 powershell.exe 1660 powershell.exe 1660 powershell.exe 2024 powershell.exe 1120 powershell.exe 1120 powershell.exe 1120 powershell.exe 852 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 516 wmic.exe Token: SeSecurityPrivilege 516 wmic.exe Token: SeTakeOwnershipPrivilege 516 wmic.exe Token: SeLoadDriverPrivilege 516 wmic.exe Token: SeSystemProfilePrivilege 516 wmic.exe Token: SeSystemtimePrivilege 516 wmic.exe Token: SeProfSingleProcessPrivilege 516 wmic.exe Token: SeIncBasePriorityPrivilege 516 wmic.exe Token: SeCreatePagefilePrivilege 516 wmic.exe Token: SeBackupPrivilege 516 wmic.exe Token: SeRestorePrivilege 516 wmic.exe Token: SeShutdownPrivilege 516 wmic.exe Token: SeDebugPrivilege 516 wmic.exe Token: SeSystemEnvironmentPrivilege 516 wmic.exe Token: SeRemoteShutdownPrivilege 516 wmic.exe Token: SeUndockPrivilege 516 wmic.exe Token: SeManageVolumePrivilege 516 wmic.exe Token: 33 516 wmic.exe Token: 34 516 wmic.exe Token: 35 516 wmic.exe Token: SeIncreaseQuotaPrivilege 516 wmic.exe Token: SeSecurityPrivilege 516 wmic.exe Token: SeTakeOwnershipPrivilege 516 wmic.exe Token: SeLoadDriverPrivilege 516 wmic.exe Token: SeSystemProfilePrivilege 516 wmic.exe Token: SeSystemtimePrivilege 516 wmic.exe Token: SeProfSingleProcessPrivilege 516 wmic.exe Token: SeIncBasePriorityPrivilege 516 wmic.exe Token: SeCreatePagefilePrivilege 516 wmic.exe Token: SeBackupPrivilege 516 wmic.exe Token: SeRestorePrivilege 516 wmic.exe Token: SeShutdownPrivilege 516 wmic.exe Token: SeDebugPrivilege 516 wmic.exe Token: SeSystemEnvironmentPrivilege 516 wmic.exe Token: SeRemoteShutdownPrivilege 516 wmic.exe Token: SeUndockPrivilege 516 wmic.exe Token: SeManageVolumePrivilege 516 wmic.exe Token: 33 516 wmic.exe Token: 34 516 wmic.exe Token: 35 516 wmic.exe Token: SeIncreaseQuotaPrivilege 1320 wmic.exe Token: SeSecurityPrivilege 1320 wmic.exe Token: SeTakeOwnershipPrivilege 1320 wmic.exe Token: SeLoadDriverPrivilege 1320 wmic.exe Token: SeSystemProfilePrivilege 1320 wmic.exe Token: SeSystemtimePrivilege 1320 wmic.exe Token: SeProfSingleProcessPrivilege 1320 wmic.exe Token: SeIncBasePriorityPrivilege 1320 wmic.exe Token: SeCreatePagefilePrivilege 1320 wmic.exe Token: SeBackupPrivilege 1320 wmic.exe Token: SeRestorePrivilege 1320 wmic.exe Token: SeShutdownPrivilege 1320 wmic.exe Token: SeDebugPrivilege 1320 wmic.exe Token: SeSystemEnvironmentPrivilege 1320 wmic.exe Token: SeRemoteShutdownPrivilege 1320 wmic.exe Token: SeUndockPrivilege 1320 wmic.exe Token: SeManageVolumePrivilege 1320 wmic.exe Token: 33 1320 wmic.exe Token: 34 1320 wmic.exe Token: 35 1320 wmic.exe Token: SeIncreaseQuotaPrivilege 1320 wmic.exe Token: SeSecurityPrivilege 1320 wmic.exe Token: SeTakeOwnershipPrivilege 1320 wmic.exe Token: SeLoadDriverPrivilege 1320 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
config.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 288 wrote to memory of 516 288 config.exe wmic.exe PID 288 wrote to memory of 516 288 config.exe wmic.exe PID 288 wrote to memory of 516 288 config.exe wmic.exe PID 288 wrote to memory of 1320 288 config.exe wmic.exe PID 288 wrote to memory of 1320 288 config.exe wmic.exe PID 288 wrote to memory of 1320 288 config.exe wmic.exe PID 288 wrote to memory of 1688 288 config.exe powershell.exe PID 288 wrote to memory of 1688 288 config.exe powershell.exe PID 288 wrote to memory of 1688 288 config.exe powershell.exe PID 1688 wrote to memory of 1872 1688 powershell.exe powershell.exe PID 1688 wrote to memory of 1872 1688 powershell.exe powershell.exe PID 1688 wrote to memory of 1872 1688 powershell.exe powershell.exe PID 288 wrote to memory of 1660 288 config.exe powershell.exe PID 288 wrote to memory of 1660 288 config.exe powershell.exe PID 288 wrote to memory of 1660 288 config.exe powershell.exe PID 1872 wrote to memory of 1768 1872 powershell.exe vssadmin.exe PID 1872 wrote to memory of 1768 1872 powershell.exe vssadmin.exe PID 1872 wrote to memory of 1768 1872 powershell.exe vssadmin.exe PID 1660 wrote to memory of 2024 1660 powershell.exe powershell.exe PID 1660 wrote to memory of 2024 1660 powershell.exe powershell.exe PID 1660 wrote to memory of 2024 1660 powershell.exe powershell.exe PID 288 wrote to memory of 1904 288 config.exe wmic.exe PID 288 wrote to memory of 1904 288 config.exe wmic.exe PID 288 wrote to memory of 1904 288 config.exe wmic.exe PID 288 wrote to memory of 1120 288 config.exe powershell.exe PID 288 wrote to memory of 1120 288 config.exe powershell.exe PID 288 wrote to memory of 1120 288 config.exe powershell.exe PID 2024 wrote to memory of 1668 2024 powershell.exe cipher.exe PID 2024 wrote to memory of 1668 2024 powershell.exe cipher.exe PID 2024 wrote to memory of 1668 2024 powershell.exe cipher.exe PID 1120 wrote to memory of 852 1120 powershell.exe powershell.exe PID 1120 wrote to memory of 852 1120 powershell.exe powershell.exe PID 1120 wrote to memory of 852 1120 powershell.exe powershell.exe PID 852 wrote to memory of 1752 852 powershell.exe cipher.exe PID 852 wrote to memory of 1752 852 powershell.exe cipher.exe PID 852 wrote to memory of 1752 852 powershell.exe cipher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\config.exe"C:\Users\Admin\AppData\Local\Temp\config.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic MEMORYCHIP get Capacity2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exewmic logicaldisk get name2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start-process powershell -windowstyle hidden "{vssadmin delete shadows /all /quiet}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" vssadmin delete shadows /all /quiet3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start-process powershell -windowstyle hidden "{ cipher /w:C:\}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cipher.exe"C:\Windows\system32\cipher.exe" /w:C:\4⤵
-
C:\Windows\System32\Wbem\wmic.exewmic logicaldisk get name2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start-process powershell -windowstyle hidden "{ cipher /w:D:\}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:D:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cipher.exe"C:\Windows\system32\cipher.exe" /w:D:\4⤵
- Enumerates connected drives
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\_Readme_.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
4cabb669e4a89176aa62164c339c143a
SHA1da8e3bdce42936a8004c9d0fd813b81fb33fd371
SHA2561ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f
SHA512db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
4cabb669e4a89176aa62164c339c143a
SHA1da8e3bdce42936a8004c9d0fd813b81fb33fd371
SHA2561ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f
SHA512db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
4cabb669e4a89176aa62164c339c143a
SHA1da8e3bdce42936a8004c9d0fd813b81fb33fd371
SHA2561ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f
SHA512db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
4cabb669e4a89176aa62164c339c143a
SHA1da8e3bdce42936a8004c9d0fd813b81fb33fd371
SHA2561ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f
SHA512db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
4cabb669e4a89176aa62164c339c143a
SHA1da8e3bdce42936a8004c9d0fd813b81fb33fd371
SHA2561ae562179f202d6b7b841e7ee4005d05e747fbeceb97d1766e55880378a2021f
SHA512db009346be819ac636f172c0091f33b2b1b2db762eb15a4d5992e1875be63e5e2213f8bcb8f1361c1ead91c6bec48556d6a0e929ac7e29a7135651db76e0d274
-
C:\Users\Admin\Documents\_Readme_.txtMD5
46fa74d5a142a03be78cfc725906d980
SHA13a0b6b36fd65475af0f8fdeb7d319684afaa61ff
SHA256c55e048693ef2e3f4518133d5a52e42018b05b8e0567c22092b74e37b9a225cf
SHA512c3895c4095715ef9df5d55d019dc970a94f55910f428da5632ac4ef522b2d689ed0ffaecdfbcf65a80221e8061bd64b92af6cbb7ca310fdd48eeba2c3a60b10b
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/516-53-0x0000000000000000-mapping.dmp
-
memory/852-105-0x0000000002482000-0x0000000002484000-memory.dmpFilesize
8KB
-
memory/852-107-0x000000001B720000-0x000000001BA1F000-memory.dmpFilesize
3.0MB
-
memory/852-103-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmpFilesize
11.4MB
-
memory/852-104-0x0000000002480000-0x0000000002482000-memory.dmpFilesize
8KB
-
memory/852-100-0x0000000000000000-mapping.dmp
-
memory/852-106-0x0000000002484000-0x0000000002487000-memory.dmpFilesize
12KB
-
memory/1120-89-0x0000000000000000-mapping.dmp
-
memory/1120-98-0x0000000002794000-0x0000000002797000-memory.dmpFilesize
12KB
-
memory/1120-97-0x0000000002792000-0x0000000002794000-memory.dmpFilesize
8KB
-
memory/1120-96-0x0000000002790000-0x0000000002792000-memory.dmpFilesize
8KB
-
memory/1120-99-0x000000000279B000-0x00000000027BA000-memory.dmpFilesize
124KB
-
memory/1120-94-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1120-93-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmpFilesize
11.4MB
-
memory/1320-54-0x0000000000000000-mapping.dmp
-
memory/1660-69-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmpFilesize
11.4MB
-
memory/1660-87-0x000000000235B000-0x000000000237A000-memory.dmpFilesize
124KB
-
memory/1660-80-0x0000000002350000-0x0000000002352000-memory.dmpFilesize
8KB
-
memory/1660-81-0x0000000002352000-0x0000000002354000-memory.dmpFilesize
8KB
-
memory/1660-62-0x0000000000000000-mapping.dmp
-
memory/1660-85-0x0000000002354000-0x0000000002357000-memory.dmpFilesize
12KB
-
memory/1668-91-0x0000000000000000-mapping.dmp
-
memory/1688-56-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/1688-57-0x000007FEF2DB0000-0x000007FEF390D000-memory.dmpFilesize
11.4MB
-
memory/1688-58-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB
-
memory/1688-59-0x00000000024F2000-0x00000000024F4000-memory.dmpFilesize
8KB
-
memory/1688-60-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/1688-55-0x0000000000000000-mapping.dmp
-
memory/1688-74-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/1752-108-0x0000000000000000-mapping.dmp
-
memory/1768-70-0x0000000000000000-mapping.dmp
-
memory/1872-61-0x0000000000000000-mapping.dmp
-
memory/1872-86-0x00000000027DB000-0x00000000027FA000-memory.dmpFilesize
124KB
-
memory/1872-82-0x00000000027D2000-0x00000000027D4000-memory.dmpFilesize
8KB
-
memory/1872-68-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmpFilesize
11.4MB
-
memory/1872-76-0x00000000027D0000-0x00000000027D2000-memory.dmpFilesize
8KB
-
memory/1872-84-0x00000000027D4000-0x00000000027D7000-memory.dmpFilesize
12KB
-
memory/1904-72-0x0000000000000000-mapping.dmp
-
memory/2024-78-0x0000000002980000-0x0000000002982000-memory.dmpFilesize
8KB
-
memory/2024-79-0x0000000002982000-0x0000000002984000-memory.dmpFilesize
8KB
-
memory/2024-83-0x000000001B7C0000-0x000000001BABF000-memory.dmpFilesize
3.0MB
-
memory/2024-88-0x0000000002984000-0x0000000002987000-memory.dmpFilesize
12KB
-
memory/2024-71-0x0000000000000000-mapping.dmp
-
memory/2024-77-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmpFilesize
11.4MB
-
memory/2024-95-0x000000000298B000-0x00000000029AA000-memory.dmpFilesize
124KB