Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
18s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 18:29
Behavioral task
behavioral1
Sample
podgruz111.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
podgruz111.exe
Resource
win10v2004-20231215-en
General
-
Target
podgruz111.exe
-
Size
93KB
-
MD5
58d571e60b937b83d350e738104c24e3
-
SHA1
6b07793dfb33618262e6f8dfe451fb34af3c5d7b
-
SHA256
dad10857dd0ac5947afa9cd37ced64cc597b8361f176d4ca52e721cad6efa857
-
SHA512
af6e6bf5ea4363af0a0541685bbbff6cb4a60d93bccf8dd6b77c3e4125a44fc9fd71a5020433bbdfb34aea171f75ee9cd1c1235fdf02a5fd5dd065ce9b53f3db
-
SSDEEP
1536:W+EC+xhUa9urgOB9mNvM4jEwzGi1dDWDLgS:W+aUa9urgOidGi1dwE
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 3 IoCs
pid Process 2420 netsh.exe 2892 netsh.exe 2932 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe podgruz111.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe podgruz111.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf podgruz111.exe File created F:\autorun.inf podgruz111.exe File opened for modification F:\autorun.inf podgruz111.exe File created C:\autorun.inf podgruz111.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explorer.exe podgruz111.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explorer.exe podgruz111.exe File opened for modification C:\Program Files (x86)\Explorer.exe podgruz111.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe 1944 podgruz111.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1944 podgruz111.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1944 podgruz111.exe Token: 33 1944 podgruz111.exe Token: SeIncBasePriorityPrivilege 1944 podgruz111.exe Token: 33 1944 podgruz111.exe Token: SeIncBasePriorityPrivilege 1944 podgruz111.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2420 1944 podgruz111.exe 28 PID 1944 wrote to memory of 2420 1944 podgruz111.exe 28 PID 1944 wrote to memory of 2420 1944 podgruz111.exe 28 PID 1944 wrote to memory of 2420 1944 podgruz111.exe 28 PID 1944 wrote to memory of 2892 1944 podgruz111.exe 30 PID 1944 wrote to memory of 2892 1944 podgruz111.exe 30 PID 1944 wrote to memory of 2892 1944 podgruz111.exe 30 PID 1944 wrote to memory of 2892 1944 podgruz111.exe 30 PID 1944 wrote to memory of 2932 1944 podgruz111.exe 31 PID 1944 wrote to memory of 2932 1944 podgruz111.exe 31 PID 1944 wrote to memory of 2932 1944 podgruz111.exe 31 PID 1944 wrote to memory of 2932 1944 podgruz111.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\podgruz111.exe"C:\Users\Admin\AppData\Local\Temp\podgruz111.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\podgruz111.exe" "podgruz111.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2420
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\podgruz111.exe"2⤵
- Modifies Windows Firewall
PID:2892
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\podgruz111.exe" "podgruz111.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD558d571e60b937b83d350e738104c24e3
SHA16b07793dfb33618262e6f8dfe451fb34af3c5d7b
SHA256dad10857dd0ac5947afa9cd37ced64cc597b8361f176d4ca52e721cad6efa857
SHA512af6e6bf5ea4363af0a0541685bbbff6cb4a60d93bccf8dd6b77c3e4125a44fc9fd71a5020433bbdfb34aea171f75ee9cd1c1235fdf02a5fd5dd065ce9b53f3db