Malware Analysis Report

2024-12-07 03:07

Sample ID 241113-s1qn3avbng
Target geek.zip
SHA256 3706c440557692c612527c0eb437577ef2dae8a1ca947dd2bc259b451e192f42
Tags
discovery spyware stealer
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

3706c440557692c612527c0eb437577ef2dae8a1ca947dd2bc259b451e192f42

Threat Level: Likely benign

The file geek.zip was found to be: Likely benign.

Malicious Activity Summary

discovery spyware stealer

Checks installed software on the system

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:35

Reported

2024-11-13 15:38

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\geek.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\geek64.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST C:\Users\Admin\AppData\Local\Temp\geek64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\geek64.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\geek.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\geek.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\geek.exe

"C:\Users\Admin\AppData\Local\Temp\geek.exe"

C:\Users\Admin\AppData\Local\Temp\geek64.exe

C:\Users\Admin\AppData\Local\Temp\geek64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 geekuninstaller.com udp
US 173.230.144.164:443 geekuninstaller.com tcp
US 173.230.144.164:443 geekuninstaller.com tcp
US 173.230.144.164:443 geekuninstaller.com tcp
US 173.230.144.164:443 geekuninstaller.com tcp

Files

\Users\Admin\AppData\Local\Temp\geek64.exe

MD5 c84a3c776bf83d55f901288db3b8b8a0
SHA1 515df2a9fb35beef25d070b688d692646f0a1c8f
SHA256 b8d968872fe7ed8de7eeb89ff6e1ce2029521f7c744c088ae2c4807b396d28ae
SHA512 e471e4ffa1511b5239474577eda92ccb98918eb1633284af20ed80a3cd8366dc4b3ecbe2482b9325e6c543b1acf07731973290265b0ac3c94ea6c436b12e9064

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:35

Reported

2024-11-13 15:38

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\geek.exe"

Signatures

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\geek64.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\geek.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\geek.exe C:\Users\Admin\AppData\Local\Temp\geek64.exe
PID 4200 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\geek.exe C:\Users\Admin\AppData\Local\Temp\geek64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\geek.exe

"C:\Users\Admin\AppData\Local\Temp\geek.exe"

C:\Users\Admin\AppData\Local\Temp\geek64.exe

C:\Users\Admin\AppData\Local\Temp\geek64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 geekuninstaller.com udp
US 173.230.144.164:443 geekuninstaller.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 164.144.230.173.in-addr.arpa udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.135.105:80 r11.o.lencr.org tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\geek64.exe

MD5 c84a3c776bf83d55f901288db3b8b8a0
SHA1 515df2a9fb35beef25d070b688d692646f0a1c8f
SHA256 b8d968872fe7ed8de7eeb89ff6e1ce2029521f7c744c088ae2c4807b396d28ae
SHA512 e471e4ffa1511b5239474577eda92ccb98918eb1633284af20ed80a3cd8366dc4b3ecbe2482b9325e6c543b1acf07731973290265b0ac3c94ea6c436b12e9064