Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

config.exe

windows7_x64

9

config.exe

windows10_x64

9

Analysis

  • max time kernel
    48s
  • max time network
    70s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    01/01/2022, 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    config.exe

  • Size

    2.1MB

  • MD5

    cf351819c69c94fbdaec24cb8c30990b

  • SHA1

    4911d5384ca3720c48a0c8ba47b1edba33dfa0ff

  • SHA256

    25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e

  • SHA512

    c6ed66e7a0afa76ff2c583b91e90ed8a193af8c25ba5e81e29be652bbbdfaf1fa62047826066f8ebc3677873e6a75237103ec4dc61544c3e5c11eff2b401c5b9

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 15 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\config.exe
    "C:\Users\Admin\AppData\Local\Temp\config.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\System32\Wbem\wmic.exe
      wmic MEMORYCHIP get Capacity
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\Wbem\wmic.exe
      wmic logicaldisk get name
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell start-process powershell -windowstyle hidden "{vssadmin delete shadows /all /quiet}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" vssadmin delete shadows /all /quiet
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\system32\vssadmin.exe
          "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell start-process powershell -windowstyle hidden "{ cipher /w:C:\}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\system32\cipher.exe
          "C:\Windows\system32\cipher.exe" /w:C:\
          4⤵
            PID:1532
      • C:\Windows\System32\Wbem\wmic.exe
        wmic logicaldisk get name
        2⤵
          PID:2208
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell start-process powershell -windowstyle hidden "{ cipher /w:D:\}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:D:\
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Windows\system32\cipher.exe
              "C:\Windows\system32\cipher.exe" /w:D:\
              4⤵
              • Enumerates connected drives
              PID:1572
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:800
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_Readme_.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:3804

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/680-167-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-151-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-159-0x00000256D72B0000-0x00000256D72D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/680-149-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-155-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-157-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-166-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-215-0x00000256BCC76000-0x00000256BCC78000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-160-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-192-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-187-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-186-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-184-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-182-0x00000256BCC73000-0x00000256BCC75000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-181-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-178-0x00000256BCC70000-0x00000256BCC72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-153-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-170-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/680-169-0x00000256D7DA0000-0x00000256D7E16000-memory.dmp

          Filesize

          472KB

          Download

        • memory/748-248-0x0000014B869F0000-0x0000014B869F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/748-259-0x0000014B869F6000-0x0000014B869F8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/748-254-0x0000014BA33A0000-0x0000014BA3416000-memory.dmp

          Filesize

          472KB

          Download

        • memory/748-246-0x0000014BA28B0000-0x0000014BA28D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/748-249-0x0000014B869F3000-0x0000014B869F5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-146-0x000001AA26456000-0x000001AA26458000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-126-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-119-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-118-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-120-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-121-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-122-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-123-0x000001AA26450000-0x000001AA26452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-124-0x000001AA26453000-0x000001AA26455000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-125-0x000001AA0DE80000-0x000001AA0DEA2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2064-130-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-127-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-145-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-128-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-140-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-129-0x000001AA28E70000-0x000001AA28EE6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2064-136-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-139-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2064-137-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-197-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-216-0x00000272C2130000-0x00000272C2132000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-217-0x00000272C2133000-0x00000272C2135000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-194-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-195-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-196-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-198-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-199-0x00000272DC5A0000-0x00000272DC5C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2532-200-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2532-210-0x00000272DD090000-0x00000272DD106000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2652-154-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-183-0x000001F83A4F3000-0x000001F83A4F5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-158-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-180-0x000001F83A4F0000-0x000001F83A4F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-163-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-220-0x000001F83A4F6000-0x000001F83A4F8000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-168-0x000001F8556E0000-0x000001F855756000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2652-164-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-152-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-165-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-161-0x000001F854B90000-0x000001F854BB2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2652-156-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-171-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2652-150-0x000001F83A450000-0x000001F83A452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3980-222-0x00000246DD423000-0x00000246DD425000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3980-225-0x00000246F84A0000-0x00000246F8516000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3980-247-0x00000246DD426000-0x00000246DD428000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3980-203-0x00000246DB9B0000-0x00000246DB9B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3980-218-0x00000246DD420000-0x00000246DD422000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3980-212-0x00000246DD3D0000-0x00000246DD3F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3980-204-0x00000246DB9B0000-0x00000246DB9B2000-memory.dmp

          Filesize

          8KB

          Download