Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2023, 13:24
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe
Resource
win7-20231023-en
General
-
Target
SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe
-
Size
124KB
-
MD5
323d0cf6f709432d7202156daa5ca244
-
SHA1
b71b0fbf2fc08957f4c8225b6033a00351025d5d
-
SHA256
c6f3ec922496581f04b0be42efe0f3255e4689fa858320c59363bac065de7bc6
-
SHA512
f5b85947fea24af2c1bd20771dc5c2cf40f5c8cac677bd4ab48aa2a6bbd5d23c67a67f500f8790b4cf2edc7f34e90eaafbb53bfabbff4ff89bda773406ea22a4
-
SSDEEP
1536:3yiap9Dlv0a/diiFN8U54u8OVlCTQ/Cw5aGrTQaNGUUGFAlv3HOM4zEbCE:3aLv0a/ciFNxFRi6PrTQNVGFAlv+MBC
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\pfll155.dll SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe File opened for modification C:\Windows\pfll155DesBananaeD SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe File created C:\Windows\win000.tmp SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe File opened for modification C:\Windows\win000.tmp SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2364 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe 84 PID 4948 wrote to memory of 2364 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe 84 PID 4948 wrote to memory of 2364 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe 84 PID 2364 wrote to memory of 1220 2364 cmd.exe 86 PID 2364 wrote to memory of 1220 2364 cmd.exe 86 PID 2364 wrote to memory of 1220 2364 cmd.exe 86 PID 4948 wrote to memory of 372 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe 97 PID 4948 wrote to memory of 372 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe 97 PID 4948 wrote to memory of 372 4948 SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe 97 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ = "1" SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader8.49793.13590.23866.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADDHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v EnableLUA /t REG_DWORD /d 0 /f3⤵PID:1220
-
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\pfll155.dll2⤵PID:372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b4ba3fea58c099259d476bde04cf8d5c
SHA19adfcc54c4911738694b940757810588e23faafc
SHA256675bbb379debf12b83f1057e4ce12ff9d09e4f1377929296d716b855d95c7893
SHA512bdf1e39ef03131beb0a1ed2ff008262ab5148246cb03af5ec85eb1f99d64869a71e39d435774ecad0e3f7d6bc8ed80493f7ac6130a222bf559be7a68253d08e5
-
Filesize
4KB
MD5b4ba3fea58c099259d476bde04cf8d5c
SHA19adfcc54c4911738694b940757810588e23faafc
SHA256675bbb379debf12b83f1057e4ce12ff9d09e4f1377929296d716b855d95c7893
SHA512bdf1e39ef03131beb0a1ed2ff008262ab5148246cb03af5ec85eb1f99d64869a71e39d435774ecad0e3f7d6bc8ed80493f7ac6130a222bf559be7a68253d08e5