Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
09/01/2023, 15:12
Static task
static1
Behavioral task
behavioral1
Sample
geek.exe
Resource
win7-20221111-en
General
-
Target
geek.exe
-
Size
6.3MB
-
MD5
234f314f904536e9ea73f52e1f0ffa13
-
SHA1
430d72aad2930ef28d9270db87bb14260d3e613f
-
SHA256
7142ba9a0a96e7184d8da2d5514d4416191494cc709f424f924ceb26332171ec
-
SHA512
24c1e1b85486b49263ef4fdfc34f68f3b0f78f83da77e9a8fc0f8f27b51beaf25d70c64fd07c10e35a2593d359c742759a63c0ff985eea630c0588af96af49f0
-
SSDEEP
98304:3qJbc5xtz+kl/m5lifMc/PKkuExnaZ/l+7Y1rtJKCg85:6Jk+y/mnifVKkbaZ/l+7Y1rtECg85
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1224 geek64.exe 1284 Process not Found 1048 Uninst.exe -
Registers COM server for autorun 1 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 Uninst.exe -
Loads dropped DLL 2 IoCs
pid Process 616 geek.exe 876 Uninstall.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe geek64.exe File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST geek64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DIRECTORY\SHELLEX\DRAGDROPHANDLERS\7-ZIP Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DRIVE\SHELLEX\DRAGDROPHANDLERS\7-ZIP Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 Uninst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} Uninst.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1224 geek64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1224 geek64.exe Token: SeDebugPrivilege 1224 geek64.exe Token: SeDebugPrivilege 1224 geek64.exe Token: SeDebugPrivilege 1224 geek64.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 616 geek.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe 1224 geek64.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 616 wrote to memory of 1224 616 geek.exe 28 PID 616 wrote to memory of 1224 616 geek.exe 28 PID 616 wrote to memory of 1224 616 geek.exe 28 PID 616 wrote to memory of 1224 616 geek.exe 28 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 1224 wrote to memory of 876 1224 geek64.exe 31 PID 876 wrote to memory of 1048 876 Uninstall.exe 32 PID 876 wrote to memory of 1048 876 Uninstall.exe 32 PID 876 wrote to memory of 1048 876 Uninstall.exe 32 PID 876 wrote to memory of 1048 876 Uninstall.exe 32 PID 876 wrote to memory of 1048 876 Uninstall.exe 32 PID 876 wrote to memory of 1048 876 Uninstall.exe 32 PID 876 wrote to memory of 1048 876 Uninstall.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\geek.exe"C:\Users\Admin\AppData\Local\Temp\geek.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\geek64.exeC:\Users\Admin\AppData\Local\Temp\geek64.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files\7-Zip\Uninstall.exe"C:\Program Files\7-Zip\Uninstall.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\7zC205636C\Uninst.exeC:\Users\Admin\AppData\Local\Temp\7zC205636C\Uninst.exe /N /D="C:\Program Files\7-Zip\"4⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:1048
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5b0cec9f342bf95700b602ee376446577
SHA1b955b1b64280bb0ea873538029cf5ea44081501b
SHA25624a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088
SHA51205ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e
-
Filesize
3.5MB
MD52062e8118cf10d1fba19a80a885c80f0
SHA17e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8
SHA256316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057
SHA512684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2
-
Filesize
15KB
MD5b0cec9f342bf95700b602ee376446577
SHA1b955b1b64280bb0ea873538029cf5ea44081501b
SHA25624a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088
SHA51205ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e
-
Filesize
3.5MB
MD52062e8118cf10d1fba19a80a885c80f0
SHA17e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8
SHA256316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057
SHA512684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2
-
Filesize
3.5MB
MD52062e8118cf10d1fba19a80a885c80f0
SHA17e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8
SHA256316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057
SHA512684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2