File name:

SecuriteInfo.com.Win32.Trojan-gen.4875.23333

Full analysis: https://app.any.run/tasks/5dbc47c3-159c-4c6f-89f4-3cbd2ec4daf8
Verdict: Malicious activity
Analysis date: December 05, 2022, 23:36:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
bitrat
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7CB5F631784C4E56F1BBBD2DB5E08CF4

SHA1:

467BCD4C278B2FAE07B3DFB68B29814F0C1EC606

SHA256:

FFA9F3D0E3D4D29B10CBA30FE3394D538B8C415E9C29CF36A56990E9204EC7BF

SSDEEP:

24576:owfXt2qCbasU3cyK9pNhMhtrjxLF7ZQ/ronBb5:oEcO+9bh+1lLFaMnBb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • BITRAT was detected

      • wscript.exe (PID: 1028)
    • Connects to the CnC server

      • wscript.exe (PID: 1028)
  • SUSPICIOUS

    • Reads the Internet Settings

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Reads settings of System Certificates

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Adds/modifies Windows certificates

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Checks Windows Trust Settings

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Executes scripts

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
  • INFO

    • Reads the computer name

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Checks supported languages

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
    • Checks proxy server information

      • SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (53.2)
.exe | Win32 Executable Delphi generic (17.5)
.scr | Windows screen saver (16.1)
.exe | Win32 Executable (generic) (5.5)
.exe | Win16/32 Executable Delphi generic (2.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
  • German - Germany
CompanyName: e-merge GmbH
FileDescription: http://www.winace.com
FileVersion: 2.69.0.0
InternalName:
LegalCopyright: 1997-2007 ACE Compression Software & e-merge GmbH
LegalTrademarks: 1997-2007 ACE Compression Software & e-merge GmbH
OriginalFilename:
ProductName: WinAce
ProductVersion: 02.69.00.00
Comments: Installation created by Sfx-Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 9
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
378268
378368
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53109
.itext
385024
2048
2048
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.17862
.data
389120
7268
7680
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.76808
.bss
397312
14084
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
413696
9856
10240
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.87882
.tls
425984
52
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
430080
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.210826
.reloc
434176
26564
26624
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.70587
.rsrc
462848
607744
607744
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.52716

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.6633
308
UNKNOWN
English - United States
RT_CURSOR
2
2.80231
308
UNKNOWN
English - United States
RT_CURSOR
3
3.00046
308
UNKNOWN
English - United States
RT_CURSOR
4
2.56318
308
UNKNOWN
English - United States
RT_CURSOR
5
2.6949
308
UNKNOWN
English - United States
RT_CURSOR
6
2.62527
308
UNKNOWN
English - United States
RT_CURSOR
7
2.91604
308
UNKNOWN
English - United States
RT_CURSOR
52
5.29068
4264
UNKNOWN
UNKNOWN
RT_ICON
53
4.35947
21640
UNKNOWN
UNKNOWN
RT_ICON
54
4.16197
38056
UNKNOWN
UNKNOWN
RT_ICON

Imports

Kernel32
advapi32.dll
advapi32.dll (#2)
comctl32.dll
gdi32.dll
kernel32.dll
kernel32.dll (#2)
kernel32.dll (#3)
kernel32.dll (#4)
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.trojan-gen.4875.23333.exe #BITRAT wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
Explorer.EXE
User:
admin
Company:
e-merge GmbH
Integrity Level:
MEDIUM
Description:
http://www.winace.com
Exit code:
0
Version:
2.69.0.0
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.win32.trojan-gen.4875.23333.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
1028C:\Windows\System32\wscript.exeC:\Windows\System32\wscript.exe
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 750
Read events
4 708
Write events
40
Delete events
2

Modification events

(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2948) SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
1
Suspicious files
6
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\Public\Libraries\Cjyuaebl.exeexecutable
MD5:7CB5F631784C4E56F1BBBD2DB5E08CF4
SHA256:FFA9F3D0E3D4D29B10CBA30FE3394D538B8C415E9C29CF36A56990E9204EC7BF
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868binary
MD5:95CA9800F44BB2187C35953120585AB2
SHA256:92D9BD3F4B5A368B4BBD2092C010143F0CC41077055D57235F0DB3941A7D8992
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Cjyuaeblxvk[1]binary
MD5:33DAF581F37766E63D01955CD5C946D2
SHA256:A07A521A0535F989921CB1AEE82D8FFCDF4402C4AFD3F6E2230DB315FB12CCF2
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53der
MD5:8572F60C3D290AB98BC369AE8EEBFF9C
SHA256:B4BE06A39491F6DF0412436B81B6CF29A608866DBCC88435A540201A250F0549
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53binary
MD5:D2D497B3AFCFAA267FF5948E1EC716BD
SHA256:2D66265C0678E72A2F0041BB76482FB0368735FF2256A82DE48FB716A5A95F58
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\D7WOYUU2.txttext
MD5:7A3D0C2E15DB75FCEA500D03BFCE903C
SHA256:4EF47D4CE63555CFBC118EE8C69FE61F6A69FD47160F611C00FB56F75380A104
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\Public\Libraries\lbeauyjC.urltext
MD5:C54B803F3CC88219B513DD17B2BD03CB
SHA256:1AE0FB38F1D14F23AAC0551B57EBEEDF30430D020A249DF87D7B268D4A0E5D07
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\Public\Libraries\Cjyuaeblbinary
MD5:33DAF581F37766E63D01955CD5C946D2
SHA256:A07A521A0535F989921CB1AEE82D8FFCDF4402C4AFD3F6E2230DB315FB12CCF2
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868der
MD5:4E52CCDE1A1E21BE762E8EFDF4EA9FE5
SHA256:BA8A22FC717524C6C8CB45E51738C3DF75F9F6798AF18D82BB6CC87195CCE682
2948SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:0D1C36932CD4EE1EC7D426A5CAD59E59
SHA256:3B923A7330826D0DEDF02834C1301E293BD2C871EF6E915092F31AC9AF75EEF6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
der
471 b
whitelisted
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bfd5211b04f27496
GB
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
13.107.42.13:443
onedrive.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
malicious
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
95.140.236.128:80
ctldl.windowsupdate.com
LLNW
US
malicious
2948
SecuriteInfo.com.Win32.Trojan-gen.4875.23333.exe
13.107.43.12:443
2630fq.ch.files.1drv.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1028
wscript.exe
20.84.45.190:5877
winery.nsupdate.info
MICROSOFT-CORP-MSN-AS-BLOCK
US
malicious

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.42.13
shared
ctldl.windowsupdate.com
  • 95.140.236.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
2630fq.ch.files.1drv.com
  • 13.107.43.12
suspicious
winery.nsupdate.info
  • 20.84.45.190
malicious

Threats

PID
Process
Class
Message
1028
wscript.exe
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (BitRAT CnC)
No debug info