Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

Geek Squad...es.msg

windows7-x64

6

Geek Squad...es.msg

windows10-2004-x64

3

Geek Squad...51.jpg

windows7-x64

1

Geek Squad...51.jpg

windows10-2004-x64

3

Analysis

  • max time kernel
    114s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 17:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Geek Squad Security Services.msg

  • Size

    1.4MB

  • MD5

    b5bb9496599e31a8f3eb37b6e014f1ba

  • SHA1

    9a45b90e6dcc0ddd664cac8f5555ef6782b39e26

  • SHA256

    a4f7d62594a21be103f1f08a9c8b22e7e3f8a91835dfc18d81b36ad70c2bc8d0

  • SHA512

    8128e4c53671e3182548946a9b6c81180579ffbf8702144ee0ddba43b7830fb0b4d7eaf0c25999e96600c7536ede47f2c38a3797423055d71496c015b7af4c8a

  • SSDEEP

    24576:cV/yEl7qrraXbC5JnkWBZAveZg3aFCnP/E:O/FluraLCjk+QeU3

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 40 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Geek Squad Security Services.msg"
    1⤵
      PID:3840
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
        "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" "C:\Users\Admin\AppData\Local\Temp\Geek Squad Security Services.msg"
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4336
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
          OfficeClickToRun.exe platform=
          3⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:2876

    Network

      No results found
    • 8.247.210.254:80
      46 B
       40 B
       1
      1
    • 20.50.80.209:443
      322 B
       7
    • 2.18.109.224:443
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      322 B
       7
    • 93.184.221.240:80
      260 B
       5
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.