Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/11/2023, 13:24

General

  • Target

    SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe

  • Size

    124KB

  • MD5

    323d0cf6f709432d7202156daa5ca244

  • SHA1

    b71b0fbf2fc08957f4c8225b6033a00351025d5d

  • SHA256

    c6f3ec922496581f04b0be42efe0f3255e4689fa858320c59363bac065de7bc6

  • SHA512

    f5b85947fea24af2c1bd20771dc5c2cf40f5c8cac677bd4ab48aa2a6bbd5d23c67a67f500f8790b4cf2edc7f34e90eaafbb53bfabbff4ff89bda773406ea22a4

  • SSDEEP

    1536:3yiap9Dlv0a/diiFN8U54u8OVlCTQ/Cw5aGrTQaNGUUGFAlv3HOM4zEbCE:3aLv0a/ciFNxFRi6PrTQNVGFAlv+MBC

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Windows directory 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe"
    1⤵
    • Installs/modifies Browser Helper Object
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
          PID:1220
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s C:\Windows\pfll155.dll
        2⤵
          PID:372

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\pfll155.dll

        Filesize

        4KB

        MD5

        b4ba3fea58c099259d476bde04cf8d5c

        SHA1

        9adfcc54c4911738694b940757810588e23faafc

        SHA256

        675bbb379debf12b83f1057e4ce12ff9d09e4f1377929296d716b855d95c7893

        SHA512

        bdf1e39ef03131beb0a1ed2ff008262ab5148246cb03af5ec85eb1f99d64869a71e39d435774ecad0e3f7d6bc8ed80493f7ac6130a222bf559be7a68253d08e5

      • C:\Windows\pfll155DesBananaeD

        Filesize

        4KB

        MD5

        b4ba3fea58c099259d476bde04cf8d5c

        SHA1

        9adfcc54c4911738694b940757810588e23faafc

        SHA256

        675bbb379debf12b83f1057e4ce12ff9d09e4f1377929296d716b855d95c7893

        SHA512

        bdf1e39ef03131beb0a1ed2ff008262ab5148246cb03af5ec85eb1f99d64869a71e39d435774ecad0e3f7d6bc8ed80493f7ac6130a222bf559be7a68253d08e5