Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2023, 05:52
Static task
static1
Behavioral task
behavioral1
Sample
Geometry-Dash-Windows-2-11-en.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Geometry-Dash-Windows-2-11-en.exe
Resource
win10v2004-20230220-en
General
-
Target
Geometry-Dash-Windows-2-11-en.exe
-
Size
2.2MB
-
MD5
70f3bc193dfa56b78f3e6e4f800f701f
-
SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487
-
SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
-
SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1
-
SSDEEP
49152:2DcHcEngZtNm1LQRHH4PTwZX6kg9hsf4lcszpyu7d/TC:rngZtNm1G4Pw6dJzZNTC
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2692 Geometry-Dash-Windows-2-11-en.exe 2692 Geometry-Dash-Windows-2-11-en.exe 2692 Geometry-Dash-Windows-2-11-en.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1356 taskmgr.exe Token: SeSystemProfilePrivilege 1356 taskmgr.exe Token: SeCreateGlobalPrivilege 1356 taskmgr.exe Token: 33 1356 taskmgr.exe Token: SeIncBasePriorityPrivilege 1356 taskmgr.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe 1356 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Geometry-Dash-Windows-2-11-en.exe"C:\Users\Admin\AppData\Local\Temp\Geometry-Dash-Windows-2-11-en.exe"1⤵
- Loads dropped DLL
PID:2692
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
150KB
MD53614a4be6b610f1daf6c801574f161fe
SHA16edee98c0084a94caa1fe0124b4c19f42b4e7de6
SHA25616e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b
SHA51206e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415
-
Filesize
9KB
MD50d45588070cf728359055f776af16ec4
SHA1c4375ceb2883dee74632e81addbfa4e8b0c6d84a
SHA256067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
SHA512751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415