Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
21-05-2024 16:35
General
-
Target
GearUP-2.3.0-win.exe
-
Size
58.1MB
-
MD5
6087e8a5f12e1a6ab612a9f07565ffaf
-
SHA1
e8cea6b3efa2713d0b3c04d1b9c00d5e43b6db89
-
SHA256
5ec01eb4511185582f3d34af1edd093a86d3f920602df198127dc826745bb4ec
-
SHA512
8624d17a90d9e0a0ec29e54a8cd9bcc3f874704b888a55bf25b7167a9b30d6dfe2ebbabcd4551eb0b9ae78de78358082e79bb39a4c2a49d2dc76df3f59585b45
-
SSDEEP
1572864:eEKNLIzoQe7J5zmeCungo+kfhURMcklGtSoC:SK0QgGTF9SF
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GearUP-2.3.0-win.exe"C:\Users\Admin\AppData\Local\Temp\GearUP-2.3.0-win.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe"C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe" x "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip" -o"C:\Program Files (x86)\GearUPBooster\" -aoa2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\"2⤵
-
C:\Program Files (x86)\GearUPBooster\launcher.exe"C:\Program Files (x86)\GearUPBooster\launcher.exe" /install_shortcut 1 /install_autorun 12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GearUPBooster\9151\gearup_booster.exe"C:\Program Files (x86)\GearUPBooster\9151\gearup_booster.exe" /install_shortcut 1 /install_autorun 13⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GearUPBooster\9151\crashpad_handler.exe"C:\Program Files (x86)\GearUPBooster\9151\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --metrics-dir=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --url=https://sentry.guinfra.com:443/api/30/minidump/?sentry_client=sentry.native/0.5.3&sentry_key=e59bef2d0cf245eaa0d97f08c5eab5fe --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_proxy.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_tun.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_lsp.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\ccbfbed4-3a11-4f33-0f64-750f9b93c709.run\__sentry-event --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\ccbfbed4-3a11-4f33-0f64-750f9b93c709.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\ccbfbed4-3a11-4f33-0f64-750f9b93c709.run\__sentry-breadcrumb2 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x73f45160,0x73f45174,0x73f451844⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\GearUPBooster\9151\gearup_booster_ball.exeC:\Program Files (x86)\GearUPBooster\9151\gearup_booster_ball.exe /main_form_wnd 721394 /show_flag 0 /pos_x -1 /pos_y -1 /version 9151 /client_id 664ccd745ef20409f025c7fd /gray 04⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe"C:\Program Files (x86)\GearUPBooster\9151\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=ECE4C0DC4741526093BFEFE3D529278F --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9151\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=ECE4C0DC4741526093BFEFE3D529278F --channel="2836.0.497745622\584765070" --mojo-platform-channel-handle=2784 /prefetch:14⤵
- Drops file in Program Files directory
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5a6b18a2772631cdd06f95b19d66d2d4f
SHA1c342250efab725f643e598f49d1710c74f78d022
SHA25676cc277b564e69e35a0d9c440f013a52b5d25f43ba42fd0099d6fc1f05a6ce16
SHA512f98e07c1b92ecfc662021e33486b660942de390b8e947126f304adee911da0574d6cac416748f6f03e6cce981737eb694fb3d2bcd80e1e207eba91a44b5f23e5
-
Filesize
88KB
MD581b11024a8ed0c9adfd5fbf6916b133c
SHA1c87f446d9655ba2f6fddd33014c75dc783941c33
SHA256eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829
SHA512e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1
-
Filesize
24KB
MD532d7b95b1bce23db9fbd0578053ba87f
SHA17e14a34ac667a087f66d576c65cd6fe6c1dfdd34
SHA256104a76b41cbd9a945dba43a6ffa8c6de99db2105d4ce93a717729a9bd020f728
SHA5127dad74a0e3820a8237bab48f4962fe43e5b60b00f003a5de563b4cf61ee206353c9689a639566dc009f41585b54b915ff04f014230f0f38416020e08c8a44cb4
-
Filesize
37KB
MD55ac815ad2f4386140fe4c7eef3b06233
SHA16dd0e26f3c447602109253a7eaad59064c4162ca
SHA25608d86eae497df069ef9e6525e9513a019ff7a9971780c1987fde858d51f4ed66
SHA51298cf60aceabadc078e00ad1e274028714f7bbf3c86f0522ab423d50231156a2513e8cc1946b242c64af7287648e6d4ba5e630824b4d83134c471689db42fbbf5
-
Filesize
710KB
MD5a7082e2b178cabfc67ae3a0d4bb0186c
SHA1f92bad91cf85aa48a6d19c3f340533b8346ff841
SHA256253a4199122a49a25b6bd297cfb6f61c81502403b530a5486aab162a47571be3
SHA512f8eb758927217fc5ea30b7a22f1ab26b72337445c53d4c116fa7915fe22c65acd680bf9719158c412eadfd009973844b01c0d2f6f1bcdb6bcd52dfbc0cbecb41
-
Filesize
12.1MB
MD5b1d67fe7075fb592cd0ffcf8236727a5
SHA13d28fb794e5b3bf1c94685fd5c885b5744d46787
SHA2569ab05713a376b6697e497731d342a72a4255a70b311af983f6f8c2abff9aa10d
SHA512eeccd87be46f6f4e70951182496409d1e2fc2a67d6244b505b9aaf5c8fdbf42ae8fbe757d2d23a9231b22e33e9e1600d16657de9a5198c27554e54eea83324f5
-
Filesize
879KB
MD53e0303f978818e5c944f5485792696fd
SHA13b6e3ea9f5a6bbdeda20d68b84e4b51dc48deb1d
SHA2567041885b2a8300bf12a46510228ce8d103d74e83b1baf696b84ff3e5ab785dd1
SHA512c2874029bd269e6b9f7000c48d0710c52664c44e91c3086df366c3456b8bce0ed4d7e5bcfe4bdd3d03b11b8245c65f4b848b6dc58e6ea7b1de9b3ca2fb3348bc
-
Filesize
1.1MB
MD51b9328e4d104c83c29d3c8431f78e82e
SHA1dbe2c770566fff51a818a4344d382c1fbbf0b7fe
SHA256fe12fb6810a55a782907d1210adfb616de86b901f2a6e55d2a5ee0c001a16a60
SHA512188bab4fdad861ce0d470ae1ac9bfa4f60a856981372196d084cd858c857afce6b48240d26f384a01f3f6f63300a8f786052b3f39a2705e475b1dff9ea0ada0c
-
Filesize
1009KB
MD5561e2e81dc8a2abc5c648cdf5b407099
SHA11ac32fc3858032aa6d3c37b4ef8f2b92fe585e2d
SHA256271dae8bcb2d3f40ab65c3feeed49b9ae2cdd91bfe16230971289e28570c9a7f
SHA5122601e48ad443b98f8b207265eb8e46e6889c4d656e0f677b4f4d7cbc4fc1b1b031189e382f4d118eef6f4b54cb2d16a8179d2184cd8580d8b928b847a46315a8
-
Filesize
1KB
MD594cdf8c4600fea06aa36d545e536192a
SHA1b44bd59df90f94f079defd65b9ed625809e72784
SHA25634365b7daed41dddc8e0aaf71ba1114a2cb8ba31f01c2424a297899cda06c56b
SHA512e8d4aed167012f07e459d65a7b345649a323c376dd955eeddc69bc4d6783923b07c3c18a354e6993afb7c5e49bf68a40239eb099388b2d05b8c96555a013fccd
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
18KB
MD5f6d1216e974fb76585fd350ebdc30648
SHA1f8f73aa038e49d9fcf3bd05a30dc2e8cbbe54a7c
SHA256348b70e57ae0329ac40ac3d866b8e896b0b8fef7e8809a09566f33af55d33271
SHA512756ee21ba895179a5b6836b75aeefb75389b0fe4ae2aaff9ed84f33075094663117133c810ab2e697ec04eaffd54ff03efa3b9344e467a847acea9f732935843
-
Filesize
18KB
MD5bfb08fb09e8d68673f2f0213c59e2b97
SHA1e1e5ff4e7dd1c902afbe195d3e9fd2a7d4a539f2
SHA2566d5881719e9599bf10a4193c8e2ded2a38c10de0ba8904f48c67f2da6e84ed3e
SHA512e4f33306f3d06ea5c8e539ebdb6926d5f818234f481ff4605a9d5698ae8f2afdf79f194acd0e55ac963383b78bb4c9311ee97f3a188e12fbf2ee13b35d409900
-
Filesize
20KB
MD53b9d034ca8a0345bc8f248927a86bf22
SHA195faf5007daf8ba712a5d17f865f0e7938da662b
SHA256a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d
SHA51204f0830878e0166ffd1220536592d0d7ec8aacd3f04340a8d91df24d728f34fbbd559432e5c35f256d231afe0ae926139d7503107cea09bfd720ad65e19d1cdc
-
Filesize
18KB
MD5c2ead5fcce95a04d31810768a3d44d57
SHA196e791b4d217b3612b0263e8df2f00009d5af8d8
SHA25642a9a3d8a4a7c82cb6ec42c62d3a522daa95beb01ecb776aac2bfd4aa1e58d62
SHA512c90048481d8f0a5eda2eb6e7703b5a064f481bb7d8c78970408b374cb82e89febc2e36633f1f3e28323fb633d6a95aa1050a626cb0cb5ec62e9010491aae91f4
-
Filesize
18KB
MD5f6b4d8d403d22eb87a60bf6e4a3e7041
SHA1b51a63f258b57527549d5331c405eacc77969433
SHA25625687e95b65d0521f8c737df301bf90db8940e1c0758bb6ea5c217cf7d2f2270
SHA5121acd8f7bc5d3ae1db46824b3a5548b33e56c9bac81dcd2e7d90fdbd1d3dd76f93cdf4d52a5f316728f92e623f73bc2ccd0bc505a259dff20c1a5a2eb2f12e41b
-
Filesize
18KB
MD5a20084f41b3f1c549d6625c790b72268
SHA1e3669b8d89402a047bfbf9775d18438b0d95437e
SHA2560fa42237fd1140fd125c6edb728d4c70ad0276c72fa96c2faabf7f429fa7e8f1
SHA512ddf294a47dd80b3abfb3a0d82bc5f2b510d3734439f5a25da609edbbd9241ed78045114d011925d61c3d80b1ccd0283471b1dad4cf16e2194e9bc22e8abf278f
-
Filesize
19KB
MD539d81596a7308e978d67ad6fdccdd331
SHA1a0b2d43dd1c27d8244d11495e16d9f4f889e34c4
SHA2563d109fd01f6684414d8a1d0d2f5e6c5b4e24de952a0695884744a6cbd44a8ec7
SHA5120ef6578de4e6ba55eda64691892d114e154d288c419d05d6cff0ef4240118c20a4ce7f4174eec1a33397c6cd0135d13798dc91cc97416351775f9abf60fcae76
-
Filesize
22KB
MD5ae3fa6bf777b0429b825fb6b028f8a48
SHA1b53dbfdb7c8deaa9a05381f5ac2e596830039838
SHA25666b86ed0867fe22e80b9b737f3ee428be71f5e98d36f774abbf92e3aaca71bfb
SHA5121339e7ce01916573e7fdd71e331eeee5e27b1ddd968cadfa6cbc73d58070b9c9f8d9515384af004e5e015bd743c7a629eb0c62a6c0fa420d75b069096c5d1ece
-
Filesize
24KB
MD55e72659b38a2977984bbc23ed274f007
SHA1ea622d608cc942bdb0fad118c8060b60b2e985c9
SHA25644a4db6080f6bdae6151f60ae5dc420faa3be50902e88f8f14ad457dec3fe4ea
SHA512ed3cb656a5f5aee2cc04dd1f25b1390d52f3e85f0c7742ed0d473a117d2ac49e225a0cb324c31747d221617abcd6a9200c16dd840284bb29155726a3aa749bb1
-
Filesize
7.6MB
MD58d7f18343f185b4146af6396e424a249
SHA19e3c963d321cff2f65d3ffcacdce36d7c5ebcfb4
SHA25632fb170dd4d1683b30ca2f1cd5c35be3cd576542cc29c1b989c8d886e9b831e4
SHA512b257b21e0cc584aebff3bb327e0d8a6ad36865e7ff883b2cb893f5504c3fb1f1c59aa81d0496748a7dc5fe14c2c8f37cc794cb6b737ee61ba8e98f9f1d612f58
-
Filesize
1.4MB
MD58dd4e1a559bad1de26925f39cd7e8e67
SHA1d4746f499c69cd91200bbbd0c8d5bbf9b782259a
SHA256b53b2b921e900e5ac5f3c9a6f58dbef252f2fafc0b7ecf56f3d859fdb2f26483
SHA5125c66489587de433f8217b8ed58a5dca8907cac31d3cb58f527e69a1c9797cef8712269639231b56c6ecf963c18514901bdd3fa45e0a94e53076f83ddb424ccaa
-
Filesize
33KB
MD5a4055204b9211f1dad069c24982eb457
SHA14a84d314b44fe696ccb61c07eb610d4dba7e3c6b
SHA2566bc2331433f7102c5df5fb62080f8b245a96792d4c0bd201740a6cd25fb17145
SHA51235fac723830e3102aabe995fbb9503b5c3670d3c1aa84d8ed3c4739b3c4f482acb142a97ab07aef97216756f2dbfaa31381ad675a41777c248a4b2ffdb08eaa0
-
Filesize
426KB
MD5bf9002bf5c878cdca749025a5f875d6b
SHA1e916d3121706dbd1ada335b414e4601373b86ef8
SHA2564d9af7c5442387ed91671d2f0360eb6cba3baa3c706b8f6b898d3018b8c7fb05
SHA51234873e1bd9c077046469db3a2176581aea162933c39c51f1ded462030fb2238a93b3d7e20ff14a497be42e019f2f23add141d98b662b395618bf69ed74a90a20
-
Filesize
2.1MB
MD514946a604db272db7834997c83ea1cef
SHA1fe468e14e2a6ecac13f87818899642d03b8f9bb9
SHA256965799236864dd98c6f33e9b7b9eac5178c5ada62b2f59d6497197c059010326
SHA5125d4c39d48190a7a3cb558e60fe1202740869817f6a4e2585e8c2554a187d2e77fd049ef2e26089ecdb45f6f91df514acc0b42deb9073f7bc60daf06bdc81867d
-
Filesize
2.2MB
MD5773dfc8417e8739748f9128d8c0dbaa6
SHA1b6b488b3c352cac9f37988c1045d019716837b7d
SHA25695c1763f76cd02e37dc8c41ce663728c651eee7e250df8234077b596ac481ea9
SHA512b21f796cd4f01e64c626172e1e5b5813cf83662846db25eec290abf30246edb5a33532d9daf635d56fe95ccb96653f52b6749e93c8bf55b4511d1221b2b346de
-
Filesize
589KB
MD5c6d72642721e84d227defc3ec4ab12e6
SHA13709a7c3cc795a0012adc6ccaf82a93628703518
SHA2560cc0de83b51dae55a4fcae559defc87bea8448010d064c316abcfe9459ece035
SHA512fa2c8b9fa34b190be45fc363f4760603cb6a389bc01fd617a1861ac709eef5e5dd42ea3d5524a1660ea8202dc17687265cd9bb87f5b4c9a9cf714744a8489389
-
Filesize
921KB
MD5d51e6dc64aef429325232e11ef69561d
SHA1b3670e5cd5a13662dc91b912d1122c9095a7e468
SHA256e50a1a27b2afa39049062a5f509c57617f03cf40ec07e31916b903806e3fd1a1
SHA51289e03048248403073b4e31f79127903160ad3171828445d996e87de584d94081dac2ead90e39feaf3c75b6ed1e4ab0ddfc6d535aef9fdc5677cc7a1ea7de6344
-
Filesize
4KB