Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

24d512fa05...dc.exe

windows7-x64

10

24d512fa05...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 14:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe

  • Size

    3.0MB

  • MD5

    1cecb25d5fe1f38d7b14353a2a14bf79

  • SHA1

    7c9934b8111267b9e615917cd8fcb73398e98972

  • SHA256

    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc

  • SHA512

    82b76bc9b11a3d99b7b2d538ffeeeb0e674fc36d52ce975690c3485a843a687fe6f2a89baf354e8e41b2a076c09dd14b258025359915689f8c3acdfa6abf29b7

  • SSDEEP

    49152:J/FZcUfaYBmWzQvoMxyPvBpWI0y2gA3uJV5C+CM0GNiGUXqC3q81vK1GEtrXbLoK:1IUCYBmoQvbPIy2z5PWGNnqvuG4X/

Score
10/10
redlinesectopratdiscoveryevasioninfostealerratspywarestealerthemidatrojan

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    "C:\Users\Admin\AppData\Local\Temp\24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3064

Network

  • flag-nl
    POST
    http://91.92.248.66:55213/
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    91.92.248.66:55213
    Request
    POST / HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
    Host: 91.92.248.66:55213
    Content-Length: 137
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Length: 212
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Thu, 13 Jun 2024 14:59:29 GMT
  • flag-nl
    POST
    http://91.92.248.66:55213/
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    91.92.248.66:55213
    Request
    POST / HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
    Host: 91.92.248.66:55213
    Content-Length: 144
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Content-Length: 7340
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Thu, 13 Jun 2024 14:59:34 GMT
  • flag-nl
    POST
    http://91.92.248.66:55213/
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    91.92.248.66:55213
    Request
    POST / HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
    Host: 91.92.248.66:55213
    Content-Length: 1249465
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Content-Length: 147
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Thu, 13 Jun 2024 14:59:40 GMT
  • flag-nl
    POST
    http://91.92.248.66:55213/
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    91.92.248.66:55213
    Request
    POST / HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
    Host: 91.92.248.66:55213
    Content-Length: 1249457
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Content-Length: 261
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Thu, 13 Jun 2024 14:59:41 GMT
  • flag-us
    DNS
    api.ip.sb
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ip.sb
    IN A
    Response
    api.ip.sb
    IN CNAME
    api.ip.sb.cdn.cloudflare.net
    api.ip.sb.cdn.cloudflare.net
    IN A
    104.26.12.31
    api.ip.sb.cdn.cloudflare.net
    IN A
    104.26.13.31
    api.ip.sb.cdn.cloudflare.net
    IN A
    172.67.75.172
  • flag-us
    GET
    https://api.ip.sb/geoip
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    104.26.12.31:443
    Request
    GET /geoip HTTP/1.1
    Host: api.ip.sb
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Thu, 13 Jun 2024 14:59:38 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    Cache-Control: no-cache
    access-control-allow-origin: *
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hG3z7MPpPVYyC%2Baz%2Bh9JiAsLQjtAS1cdC2v9Ga2Z4e7qXMw4Qs1TgggfUf%2B7XLj%2FtzIWevXxFHCgzSEB3IZ4ekI4Xy5BkflQrn1bZK5Iz5bL3s6nzb49kR%2Beyg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 8932f21229ce79af-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    23.14.90.74
    a1952.dscq.akamai.net
    IN A
    23.14.90.73
  • flag-be
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    Remote address:
    23.14.90.74:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Thu, 13 Jun 2024 15:59:37 GMT
    Date: Thu, 13 Jun 2024 14:59:37 GMT
    Connection: keep-alive
  • 91.92.248.66:55213
    http://91.92.248.66:55213/
    http
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    2.6MB
     41.4kB
     1857
    776

    HTTP Request

    POST http://91.92.248.66:55213/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.248.66:55213/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.248.66:55213/

    HTTP Response

    200

    HTTP Request

    POST http://91.92.248.66:55213/

    HTTP Response

    200
  • 104.26.12.31:443
    https://api.ip.sb/geoip
    tls, http
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    796 B
     6.0kB
     10
    10

    HTTP Request

    GET https://api.ip.sb/geoip

    HTTP Response

    200
  • 23.14.90.74:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    369 B
     1.6kB
     5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 8.8.8.8:53
    api.ip.sb
    dns
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    55 B
     145 B
     1
    1

    DNS Request

    api.ip.sb

    DNS Response

    104.26.12.31
    104.26.13.31
    172.67.75.172

  • 8.8.8.8:53
    apps.identrust.com
    dns
    24d512fa05d2d5c5330be84a58526c74221fba38cc6993cee31acf645dfd50dc.exe
    64 B
     165 B
     1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    23.14.90.74
    23.14.90.73

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a00067c8c2e70651a9c11476f6e3ff30

    SHA1

    4b195418434f1a3a6f88bc1e9780168f8371c0ba

    SHA256

    77e5791382e6107b6b7387a893f82e566f4638b30f283acb5e596196998914c5

    SHA512

    3def6b854861202d122a6dc445ab4fcd9fa5b40dafb2a8908f5fbc7aafafd002bc4bb6e3fed39bd01c497e5f7b92846732a3cc00919d51eda96b15728946e518

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3065.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3156.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp33B4.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp33D9.tmp
    Filesize

    20KB

    MD5

    c9ff7748d8fcef4cf84a5501e996a641

    SHA1

    02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

    SHA256

    4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

    SHA512

    d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp33DF.tmp
    Filesize

    92KB

    MD5

    18e04095708297d6889a6962f81e8d8f

    SHA1

    9a25645db1da0217092c06579599b04982192124

    SHA256

    4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7

    SHA512

    45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf

    Download Submit

  • memory/3064-11-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-6-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-26-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-25-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-20-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-19-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-18-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-17-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-16-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-15-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-14-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-0-0x0000000000B00000-0x0000000001322000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3064-10-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-9-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-8-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-27-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-5-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-4-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-3-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-2-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-30-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-31-0x0000000000B00000-0x0000000001322000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3064-32-0x0000000000B00000-0x0000000001322000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3064-28-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-29-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-22-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-13-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-12-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-7-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3064-1-0x0000000075764000-0x0000000075765000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-197-0x0000000000B00000-0x0000000001322000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/3064-198-0x0000000075750000-0x0000000075860000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.