Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
26s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/06/2024, 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
goose_unpacked.exe
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
goose_unpacked.exe
Resource
win11-20240508-en
windows11-21h2-x64
0 signatures
150 seconds
General
-
Target
goose_unpacked.exe
-
Size
20.0MB
-
MD5
c4e3479a134eb493e18a35ab0c4cc0bb
-
SHA1
58d879537844a846265c45403ed11588ebe7185f
-
SHA256
9a910ca08d5a243656f53918aef66559226dd30f4d358350a855bcb5b2359a34
-
SHA512
759514528d4df6bd657ccd5f225679820f75b71a1ff0299c0e937fe1aa8076d30fbc987ff2a9d724ca840148469e9527958d40807355872a9a75ff779c772814
-
SSDEEP
98304:cTgHOEF105tWzlkKpXkryqVewwZEekUx9SYufBEDzhygfPV:OgTgqkKpMxowwZE4hufCDzlPV
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2296 taskmgr.exe Token: SeSystemProfilePrivilege 2296 taskmgr.exe Token: SeCreateGlobalPrivilege 2296 taskmgr.exe Token: 33 2296 taskmgr.exe Token: SeIncBasePriorityPrivilege 2296 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe 2296 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\goose_unpacked.exe"C:\Users\Admin\AppData\Local\Temp\goose_unpacked.exe"1⤵PID:2896
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2296