Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

config.exe

windows7_x64

9

config.exe

windows10_x64

9

Analysis

  • max time kernel
    31s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01/01/2022, 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    config.exe

  • Size

    2.1MB

  • MD5

    cf351819c69c94fbdaec24cb8c30990b

  • SHA1

    4911d5384ca3720c48a0c8ba47b1edba33dfa0ff

  • SHA256

    25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e

  • SHA512

    c6ed66e7a0afa76ff2c583b91e90ed8a193af8c25ba5e81e29be652bbbdfaf1fa62047826066f8ebc3677873e6a75237103ec4dc61544c3e5c11eff2b401c5b9

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 13 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\config.exe
    "C:\Users\Admin\AppData\Local\Temp\config.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\System32\Wbem\wmic.exe
      wmic MEMORYCHIP get Capacity
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:516
    • C:\Windows\System32\Wbem\wmic.exe
      wmic logicaldisk get name
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell start-process powershell -windowstyle hidden "{vssadmin delete shadows /all /quiet}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" vssadmin delete shadows /all /quiet
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\system32\vssadmin.exe
          "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell start-process powershell -windowstyle hidden "{ cipher /w:C:\}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\system32\cipher.exe
          "C:\Windows\system32\cipher.exe" /w:C:\
          4⤵
            PID:1668
      • C:\Windows\System32\Wbem\wmic.exe
        wmic logicaldisk get name
        2⤵
          PID:1904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell start-process powershell -windowstyle hidden "{ cipher /w:D:\}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:D:\
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:852
            • C:\Windows\system32\cipher.exe
              "C:\Windows\system32\cipher.exe" /w:D:\
              4⤵
              • Enumerates connected drives
              PID:1752
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:1764
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          1⤵
            PID:1320
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\_Readme_.txt
            1⤵
            • Opens file in notepad (likely ransom note)
            PID:1692

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/852-105-0x0000000002482000-0x0000000002484000-memory.dmp

            Filesize

            8KB

            Download

          • memory/852-107-0x000000001B720000-0x000000001BA1F000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/852-103-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/852-104-0x0000000002480000-0x0000000002482000-memory.dmp

            Filesize

            8KB

            Download

          • memory/852-106-0x0000000002484000-0x0000000002487000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1120-98-0x0000000002794000-0x0000000002797000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1120-97-0x0000000002792000-0x0000000002794000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1120-96-0x0000000002790000-0x0000000002792000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1120-99-0x000000000279B000-0x00000000027BA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1120-94-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/1120-93-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1660-69-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1660-87-0x000000000235B000-0x000000000237A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1660-80-0x0000000002350000-0x0000000002352000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1660-81-0x0000000002352000-0x0000000002354000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1660-85-0x0000000002354000-0x0000000002357000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1688-56-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1688-57-0x000007FEF2DB0000-0x000007FEF390D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1688-58-0x00000000024F0000-0x00000000024F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1688-59-0x00000000024F2000-0x00000000024F4000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1688-60-0x00000000024F4000-0x00000000024F7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1688-74-0x00000000024FB000-0x000000000251A000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1872-86-0x00000000027DB000-0x00000000027FA000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1872-82-0x00000000027D2000-0x00000000027D4000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1872-68-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1872-76-0x00000000027D0000-0x00000000027D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1872-84-0x00000000027D4000-0x00000000027D7000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2024-78-0x0000000002980000-0x0000000002982000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2024-79-0x0000000002982000-0x0000000002984000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2024-83-0x000000001B7C0000-0x000000001BABF000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/2024-88-0x0000000002984000-0x0000000002987000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2024-77-0x000007FEF2410000-0x000007FEF2F6D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2024-95-0x000000000298B000-0x00000000029AA000-memory.dmp

            Filesize

            124KB

            Download