Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 18:29
Behavioral task
behavioral1
Sample
podgruz111.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
podgruz111.exe
Resource
win10v2004-20231215-en
General
-
Target
podgruz111.exe
-
Size
93KB
-
MD5
58d571e60b937b83d350e738104c24e3
-
SHA1
6b07793dfb33618262e6f8dfe451fb34af3c5d7b
-
SHA256
dad10857dd0ac5947afa9cd37ced64cc597b8361f176d4ca52e721cad6efa857
-
SHA512
af6e6bf5ea4363af0a0541685bbbff6cb4a60d93bccf8dd6b77c3e4125a44fc9fd71a5020433bbdfb34aea171f75ee9cd1c1235fdf02a5fd5dd065ce9b53f3db
-
SSDEEP
1536:W+EC+xhUa9urgOB9mNvM4jEwzGi1dDWDLgS:W+aUa9urgOidGi1dwE
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 1 TTPs 3 IoCs
pid Process 2376 netsh.exe 2712 netsh.exe 3732 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe podgruz111.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe podgruz111.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf podgruz111.exe File opened for modification C:\autorun.inf podgruz111.exe File created F:\autorun.inf podgruz111.exe File opened for modification F:\autorun.inf podgruz111.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explorer.exe podgruz111.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explorer.exe podgruz111.exe File opened for modification C:\Program Files (x86)\Explorer.exe podgruz111.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe 4160 podgruz111.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4160 podgruz111.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe Token: 33 4160 podgruz111.exe Token: SeIncBasePriorityPrivilege 4160 podgruz111.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4160 wrote to memory of 2376 4160 podgruz111.exe 88 PID 4160 wrote to memory of 2376 4160 podgruz111.exe 88 PID 4160 wrote to memory of 2376 4160 podgruz111.exe 88 PID 4160 wrote to memory of 3732 4160 podgruz111.exe 92 PID 4160 wrote to memory of 3732 4160 podgruz111.exe 92 PID 4160 wrote to memory of 3732 4160 podgruz111.exe 92 PID 4160 wrote to memory of 2712 4160 podgruz111.exe 91 PID 4160 wrote to memory of 2712 4160 podgruz111.exe 91 PID 4160 wrote to memory of 2712 4160 podgruz111.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\podgruz111.exe"C:\Users\Admin\AppData\Local\Temp\podgruz111.exe"1⤵
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\podgruz111.exe" "podgruz111.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2376
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\podgruz111.exe" "podgruz111.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2712
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\podgruz111.exe"2⤵
- Modifies Windows Firewall
PID:3732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD558d571e60b937b83d350e738104c24e3
SHA16b07793dfb33618262e6f8dfe451fb34af3c5d7b
SHA256dad10857dd0ac5947afa9cd37ced64cc597b8361f176d4ca52e721cad6efa857
SHA512af6e6bf5ea4363af0a0541685bbbff6cb4a60d93bccf8dd6b77c3e4125a44fc9fd71a5020433bbdfb34aea171f75ee9cd1c1235fdf02a5fd5dd065ce9b53f3db