Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
03/07/2024, 07:31
General
-
Target
GearUP-2.4.3-win.exe
-
Size
57.3MB
-
MD5
2076c784654c2b22c3d9355fc3697811
-
SHA1
10924c99acb8f1e82836d1598ff93db9c8fe3925
-
SHA256
a904b59f6b25093132b1b38979ac696d5c488230da1ee7155fb763e592a06df7
-
SHA512
e6cc266c808f507f584fd8ca2ce0a9656611152e266456c6a3c93c74fd06d23070e6ab13587e0944353b40a85cf6d8e0f6810d647e19d4c3245a9b76be713cc0
-
SSDEEP
1572864:fEwNwV4ly4q9tYAUGvki1JrIiYgxVEGpQXK5kX8xpLIl:hCptYAGimgxGupA
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GearUP-2.4.3-win.exe"C:\Users\Admin\AppData\Local\Temp\GearUP-2.4.3-win.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe"C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\7za.exe" x "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\gearup_booster.zip" -o"C:\Program Files (x86)\GearUPBooster\" -aoa2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Program Files (x86)\GearUPBooster\gearup_booster_temp\"2⤵
-
-
C:\Program Files (x86)\GearUPBooster\launcher.exe"C:\Program Files (x86)\GearUPBooster\launcher.exe" /install_shortcut 1 /install_autorun 02⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GearUPBooster\9155\gearup_booster.exe"C:\Program Files (x86)\GearUPBooster\9155\gearup_booster.exe" /install_shortcut 1 /install_autorun 03⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\GearUPBooster\9155\crashpad_handler.exe"C:\Program Files (x86)\GearUPBooster\9155\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --metrics-dir=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry --url=https://sentry.guinfra.com:443/api/30/minidump/?sentry_client=sentry.native/0.5.3&sentry_key=e59bef2d0cf245eaa0d97f08c5eab5fe --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_proxy.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_tun.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu_lsp.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\gu.log --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\debdbb70-41f2-4d30-2f50-a6f8f4dde70d.run\__sentry-event --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\debdbb70-41f2-4d30-2f50-a6f8f4dde70d.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Roaming\GearUPBooster\sentry\debdbb70-41f2-4d30-2f50-a6f8f4dde70d.run\__sentry-breadcrumb2 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x74355160,0x74355174,0x743551844⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\GearUPBooster\9155\gearup_booster_ball.exeC:\Program Files (x86)\GearUPBooster\9155\gearup_booster_ball.exe /main_form_wnd 721398 /show_flag 0 /pos_x -1 /pos_y -1 /version 9155 /client_id 6684fe868b088a0a583ae0ee /gray 04⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files (x86)\GearUPBooster\cef\3.0.0\gearup_booster_render.exe"C:\Program Files (x86)\GearUPBooster\9155\..\cef\3.0.0\gearup_booster_render.exe" --type=renderer --force-device-scale-factor=1 --no-sandbox --primordial-pipe-token=68EF716B51659C3A5B9DAC1B72A4D1B6 --lang=en-US --lang=en --log-file="C:\Program Files (x86)\GearUPBooster\9155\debug.log" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --mojo-application-channel-token=68EF716B51659C3A5B9DAC1B72A4D1B6 --channel="320.0.1520812410\1861637243" --mojo-platform-channel-handle=2752 /prefetch:14⤵
- Executes dropped EXE
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5a6b18a2772631cdd06f95b19d66d2d4f
SHA1c342250efab725f643e598f49d1710c74f78d022
SHA25676cc277b564e69e35a0d9c440f013a52b5d25f43ba42fd0099d6fc1f05a6ce16
SHA512f98e07c1b92ecfc662021e33486b660942de390b8e947126f304adee911da0574d6cac416748f6f03e6cce981737eb694fb3d2bcd80e1e207eba91a44b5f23e5
-
Filesize
88KB
MD581b11024a8ed0c9adfd5fbf6916b133c
SHA1c87f446d9655ba2f6fddd33014c75dc783941c33
SHA256eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829
SHA512e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1
-
Filesize
24KB
MD532d7b95b1bce23db9fbd0578053ba87f
SHA17e14a34ac667a087f66d576c65cd6fe6c1dfdd34
SHA256104a76b41cbd9a945dba43a6ffa8c6de99db2105d4ce93a717729a9bd020f728
SHA5127dad74a0e3820a8237bab48f4962fe43e5b60b00f003a5de563b4cf61ee206353c9689a639566dc009f41585b54b915ff04f014230f0f38416020e08c8a44cb4
-
Filesize
37KB
MD55ac815ad2f4386140fe4c7eef3b06233
SHA16dd0e26f3c447602109253a7eaad59064c4162ca
SHA25608d86eae497df069ef9e6525e9513a019ff7a9971780c1987fde858d51f4ed66
SHA51298cf60aceabadc078e00ad1e274028714f7bbf3c86f0522ab423d50231156a2513e8cc1946b242c64af7287648e6d4ba5e630824b4d83134c471689db42fbbf5
-
Filesize
737KB
MD5f6d2eb976262c38807a6360400cc7426
SHA1c2c74cc82d3910942902d6a3c34b049ff1dac8f4
SHA25664694d15976d2725fffe371f10c5c9203963da1d6784f7fc2873a89c4171e80d
SHA5120a233d2f87507760d3a61f3b1acd626eff89a961a37802fcd1608e5079def33bcd47c61c6c2a6e58d8b17d98eee71263ff0076591c251d5b3374dd69383a17d2
-
Filesize
426KB
MD5bf9002bf5c878cdca749025a5f875d6b
SHA1e916d3121706dbd1ada335b414e4601373b86ef8
SHA2564d9af7c5442387ed91671d2f0360eb6cba3baa3c706b8f6b898d3018b8c7fb05
SHA51234873e1bd9c077046469db3a2176581aea162933c39c51f1ded462030fb2238a93b3d7e20ff14a497be42e019f2f23add141d98b662b395618bf69ed74a90a20
-
Filesize
12.1MB
MD5eeab6bf7b91f63905b4403415af6415b
SHA14c6fa62c41ef9441cae4d9aa37b9735474e7ba1b
SHA256f8183accf12862f017180459a1a72cc3d530e7593c71f109cb814ace51462a75
SHA5126236e0534ffc5004e4caf351db3242ebfa93d4ab46d583b893b75998f418b9ab7a75d049b6e037b9602ddcf791e432b107e64208443e7087eb83fce54b22d42d
-
Filesize
879KB
MD53e0303f978818e5c944f5485792696fd
SHA13b6e3ea9f5a6bbdeda20d68b84e4b51dc48deb1d
SHA2567041885b2a8300bf12a46510228ce8d103d74e83b1baf696b84ff3e5ab785dd1
SHA512c2874029bd269e6b9f7000c48d0710c52664c44e91c3086df366c3456b8bce0ed4d7e5bcfe4bdd3d03b11b8245c65f4b848b6dc58e6ea7b1de9b3ca2fb3348bc
-
Filesize
1.1MB
MD58256d3f4b3fd1eecac8ebd4966bc1d09
SHA1846197d00035e873c5a10e52e8ce99bfb10a1eb8
SHA256ff1cfc47aa9fd35610bde13e00cc71e5b16db15b5ba0e3428b19036020945e70
SHA512f554b7003ba7f3c910e863df197dbbcca664a1946852e4f16571558866207b90989d24da1211428daf7407b4c129e579181106cdbc77d91af91f822b1f9249f1
-
Filesize
2.1MB
MD500135bef1ab04611975e87cf59c9b866
SHA14ced109784ac42df55452ebeb92dc377ed46239c
SHA2569e7535baaa9e53830eac7eaa37e54ebd1511797978c5c6fca61d6fb805a4e761
SHA5123d0d8d28eb0f574d6892a7b9b2b0e9a0e4ce1943ffefd1267cb471a17d9cc2e41f1e941bfee89be36b13f90c10fb2d2bc5a84b7ab6a3a5d5c2b6c2e14910c5e0
-
Filesize
2.2MB
MD5d53a5d4026a225ef30fda64ab61da9d4
SHA137557cb623b046a36e20001048ac49e9b3ec3ac5
SHA256eb51d2eee7bcc6839c52504205eeaeb9dab1eac318e725586ae824d14c899a5a
SHA512ac37d3e80bc865cee829c6ad31bdc946ed6f000a08041a1bcf86a66fb3c83bf03696e68c511d1ea71d4f03a72554c992123feeb3682d7f9d5899f430431fb704
-
Filesize
1009KB
MD5561e2e81dc8a2abc5c648cdf5b407099
SHA11ac32fc3858032aa6d3c37b4ef8f2b92fe585e2d
SHA256271dae8bcb2d3f40ab65c3feeed49b9ae2cdd91bfe16230971289e28570c9a7f
SHA5122601e48ad443b98f8b207265eb8e46e6889c4d656e0f677b4f4d7cbc4fc1b1b031189e382f4d118eef6f4b54cb2d16a8179d2184cd8580d8b928b847a46315a8
-
Filesize
1KB
MD54fc7c461a635359155b9078aa107e7a7
SHA1233951c92c4b68a14785eb63ca269422fe7d3d33
SHA25697c1d6abc8aa032938a6a875cca88b7de1803e7485b2c743a7e9f75ed2a5ae82
SHA512b48ca40728858671c103df71bd5f388cee54ac9387edfded34b2fc15a9996eb9c302859e7ff8e1b72baa63023487d654d632e2f20bb032acb1635c00ae21d113
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
18KB
MD5f6d1216e974fb76585fd350ebdc30648
SHA1f8f73aa038e49d9fcf3bd05a30dc2e8cbbe54a7c
SHA256348b70e57ae0329ac40ac3d866b8e896b0b8fef7e8809a09566f33af55d33271
SHA512756ee21ba895179a5b6836b75aeefb75389b0fe4ae2aaff9ed84f33075094663117133c810ab2e697ec04eaffd54ff03efa3b9344e467a847acea9f732935843
-
Filesize
18KB
MD5bfb08fb09e8d68673f2f0213c59e2b97
SHA1e1e5ff4e7dd1c902afbe195d3e9fd2a7d4a539f2
SHA2566d5881719e9599bf10a4193c8e2ded2a38c10de0ba8904f48c67f2da6e84ed3e
SHA512e4f33306f3d06ea5c8e539ebdb6926d5f818234f481ff4605a9d5698ae8f2afdf79f194acd0e55ac963383b78bb4c9311ee97f3a188e12fbf2ee13b35d409900
-
Filesize
20KB
MD53b9d034ca8a0345bc8f248927a86bf22
SHA195faf5007daf8ba712a5d17f865f0e7938da662b
SHA256a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d
SHA51204f0830878e0166ffd1220536592d0d7ec8aacd3f04340a8d91df24d728f34fbbd559432e5c35f256d231afe0ae926139d7503107cea09bfd720ad65e19d1cdc
-
Filesize
18KB
MD5c2ead5fcce95a04d31810768a3d44d57
SHA196e791b4d217b3612b0263e8df2f00009d5af8d8
SHA25642a9a3d8a4a7c82cb6ec42c62d3a522daa95beb01ecb776aac2bfd4aa1e58d62
SHA512c90048481d8f0a5eda2eb6e7703b5a064f481bb7d8c78970408b374cb82e89febc2e36633f1f3e28323fb633d6a95aa1050a626cb0cb5ec62e9010491aae91f4
-
Filesize
18KB
MD5f6b4d8d403d22eb87a60bf6e4a3e7041
SHA1b51a63f258b57527549d5331c405eacc77969433
SHA25625687e95b65d0521f8c737df301bf90db8940e1c0758bb6ea5c217cf7d2f2270
SHA5121acd8f7bc5d3ae1db46824b3a5548b33e56c9bac81dcd2e7d90fdbd1d3dd76f93cdf4d52a5f316728f92e623f73bc2ccd0bc505a259dff20c1a5a2eb2f12e41b
-
Filesize
18KB
MD5a20084f41b3f1c549d6625c790b72268
SHA1e3669b8d89402a047bfbf9775d18438b0d95437e
SHA2560fa42237fd1140fd125c6edb728d4c70ad0276c72fa96c2faabf7f429fa7e8f1
SHA512ddf294a47dd80b3abfb3a0d82bc5f2b510d3734439f5a25da609edbbd9241ed78045114d011925d61c3d80b1ccd0283471b1dad4cf16e2194e9bc22e8abf278f
-
Filesize
19KB
MD539d81596a7308e978d67ad6fdccdd331
SHA1a0b2d43dd1c27d8244d11495e16d9f4f889e34c4
SHA2563d109fd01f6684414d8a1d0d2f5e6c5b4e24de952a0695884744a6cbd44a8ec7
SHA5120ef6578de4e6ba55eda64691892d114e154d288c419d05d6cff0ef4240118c20a4ce7f4174eec1a33397c6cd0135d13798dc91cc97416351775f9abf60fcae76
-
Filesize
22KB
MD5ae3fa6bf777b0429b825fb6b028f8a48
SHA1b53dbfdb7c8deaa9a05381f5ac2e596830039838
SHA25666b86ed0867fe22e80b9b737f3ee428be71f5e98d36f774abbf92e3aaca71bfb
SHA5121339e7ce01916573e7fdd71e331eeee5e27b1ddd968cadfa6cbc73d58070b9c9f8d9515384af004e5e015bd743c7a629eb0c62a6c0fa420d75b069096c5d1ece
-
Filesize
24KB
MD55e72659b38a2977984bbc23ed274f007
SHA1ea622d608cc942bdb0fad118c8060b60b2e985c9
SHA25644a4db6080f6bdae6151f60ae5dc420faa3be50902e88f8f14ad457dec3fe4ea
SHA512ed3cb656a5f5aee2cc04dd1f25b1390d52f3e85f0c7742ed0d473a117d2ac49e225a0cb324c31747d221617abcd6a9200c16dd840284bb29155726a3aa749bb1
-
Filesize
7.7MB
MD565b9b5f31e8219bbd995417fe3c4b415
SHA19ea7a4babab60964aba8816afad647670389513f
SHA25605a21a10bbb7b46ae2a3e296501de6347ddc9d204ea9afb2056ecd13ced002dc
SHA51231d58e7de70e5df28a67a518d10995ad6590d91f57be6aee03f2c7a93bf71f4bb6d5822e1e7d43f8c860d71cfa5a8e237c8dda0fde8e6d20751e80365b66501a
-
Filesize
1.4MB
MD568d00dfd9a92e1031115d3132f529d71
SHA12b02cd13314f42b105d7fa1d2cf45ebbc1c6c756
SHA2561a2bee6f9ff35f69a9c0c503c3449fc6beb258b0c7f69a3634419139ac876b79
SHA51249676ddccdc364e752e7783d07ac70b262a45cfd2290876c26b2643efe05546bc6d9909bdeaa1c15353891f1a0a543bf1630b1990e02fcee8827842197dcc112
-
Filesize
33KB
MD59a4e4b68a7d9a48781996212828dbd5c
SHA1cb64a4e2680226455caf50505b9db397df22f2e6
SHA256435b04e9f1692558a52e906605c12d00fd65199b2ddc36e853645e61174e6c20
SHA512b58a078f713c99b9f47d28e40cf051f85bf70f20348e8a6fdd4e330fa92a51fd3241807eab07ad5f74cfcd23276f531d6b15688b5bc463806a70f230fb47c67b
-
Filesize
589KB
MD5c6d72642721e84d227defc3ec4ab12e6
SHA13709a7c3cc795a0012adc6ccaf82a93628703518
SHA2560cc0de83b51dae55a4fcae559defc87bea8448010d064c316abcfe9459ece035
SHA512fa2c8b9fa34b190be45fc363f4760603cb6a389bc01fd617a1861ac709eef5e5dd42ea3d5524a1660ea8202dc17687265cd9bb87f5b4c9a9cf714744a8489389
-
Filesize
921KB
MD5ffda1f7fbe1d583392297d76c5676b48
SHA1e37229940a14f16c0d7988a01660b86d34ddd5bf
SHA25677fadce88805497a5fb83fe29c9c4a46b5160acd2d09bc90133314529f365868
SHA5124edcf775e4cc1e53fca84b0ad68e9e826b0b379f0675390671c87433d9db2ac1e5fc8a1a330bd2d4300c6cdff3990f051e586d32d155930deb2cb23292a345f9
-
Filesize
4KB