Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2023, 15:12

General

  • Target

    geek.exe

  • Size

    6.3MB

  • MD5

    234f314f904536e9ea73f52e1f0ffa13

  • SHA1

    430d72aad2930ef28d9270db87bb14260d3e613f

  • SHA256

    7142ba9a0a96e7184d8da2d5514d4416191494cc709f424f924ceb26332171ec

  • SHA512

    24c1e1b85486b49263ef4fdfc34f68f3b0f78f83da77e9a8fc0f8f27b51beaf25d70c64fd07c10e35a2593d359c742759a63c0ff985eea630c0588af96af49f0

  • SSDEEP

    98304:3qJbc5xtz+kl/m5lifMc/PKkuExnaZ/l+7Y1rtJKCg85:6Jk+y/mnifVKkbaZ/l+7Y1rtECg85

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Registers COM server for autorun 1 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\geek.exe
    "C:\Users\Admin\AppData\Local\Temp\geek.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:616
    • C:\Users\Admin\AppData\Local\Temp\geek64.exe
      C:\Users\Admin\AppData\Local\Temp\geek64.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Program Files\7-Zip\Uninstall.exe
        "C:\Program Files\7-Zip\Uninstall.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Users\Admin\AppData\Local\Temp\7zC205636C\Uninst.exe
          C:\Users\Admin\AppData\Local\Temp\7zC205636C\Uninst.exe /N /D="C:\Program Files\7-Zip\"
          4⤵
          • Executes dropped EXE
          • Registers COM server for autorun
          • Modifies registry class
          PID:1048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zC205636C\Uninst.exe

    Filesize

    15KB

    MD5

    b0cec9f342bf95700b602ee376446577

    SHA1

    b955b1b64280bb0ea873538029cf5ea44081501b

    SHA256

    24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

    SHA512

    05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

  • C:\Users\Admin\AppData\Local\Temp\geek64.exe

    Filesize

    3.5MB

    MD5

    2062e8118cf10d1fba19a80a885c80f0

    SHA1

    7e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8

    SHA256

    316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057

    SHA512

    684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2

  • \Users\Admin\AppData\Local\Temp\7zC205636C\Uninst.exe

    Filesize

    15KB

    MD5

    b0cec9f342bf95700b602ee376446577

    SHA1

    b955b1b64280bb0ea873538029cf5ea44081501b

    SHA256

    24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

    SHA512

    05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

  • \Users\Admin\AppData\Local\Temp\geek64.exe

    Filesize

    3.5MB

    MD5

    2062e8118cf10d1fba19a80a885c80f0

    SHA1

    7e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8

    SHA256

    316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057

    SHA512

    684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2

  • \Users\Admin\AppData\Local\Temp\geek64.exe

    Filesize

    3.5MB

    MD5

    2062e8118cf10d1fba19a80a885c80f0

    SHA1

    7e4a6fee0595832708b9cc9ee9b7d589f9c2bcc8

    SHA256

    316fbec9eca41deef9a63837dfaf4de4369ca507c5b2143cd3a805cb238e5057

    SHA512

    684533abd11842833a0a4bab308c5a06253307dd8f0297211624eb1acd36ade78bf85a19cf2c8f0cc0cf85593732ebd612d6c32ce49eff284ebd6d7e8aa922b2

  • memory/616-54-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB

  • memory/1224-58-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

    Filesize

    8KB