Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

6AFDD0CBDF...85.exe

windows7-x64

10

6AFDD0CBDF...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 08:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6AFDD0CBDF70F3E75F423B1557648E85.exe

  • Size

    1.0MB

  • MD5

    6afdd0cbdf70f3e75f423b1557648e85

  • SHA1

    6c5cf72a38f08fd41b9f4943efaa4fa3b4d92c66

  • SHA256

    f5a76af6335f9ea831901a5fac818c22393fdb2d0d9408ce373018b24a2ddb71

  • SHA512

    b550dbba19c53f55d1433cfbd38fff724c9759da4232597f1b3213e98529f440854a32387eb4a7a7aea2b6a2601816e13b0cfd2ab8712c2f6ef0ec66a2c5028d

  • SSDEEP

    24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8abXTaR:ATvC/MTQYxsWR7abX

Score
10/10
redlinesectopratcheatdiscoveryinfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.58.90:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Sectoprat family
    sectoprat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6AFDD0CBDF70F3E75F423B1557648E85.exe
    "C:\Users\Admin\AppData\Local\Temp\6AFDD0CBDF70F3E75F423B1557648E85.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\6AFDD0CBDF70F3E75F423B1557648E85.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1364

Network

  • flag-nl
    POST
    http://185.222.58.90:55615/
    RegSvcs.exe
    Remote address:
    185.222.58.90:55615
    Request
    POST / HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
    Host: 185.222.58.90:55615
    Content-Length: 137
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Length: 212
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Tue, 24 Dec 2024 08:06:08 GMT
  • flag-nl
    POST
    http://185.222.58.90:55615/
    RegSvcs.exe
    Remote address:
    185.222.58.90:55615
    Request
    POST / HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
    Host: 185.222.58.90:55615
    Content-Length: 144
    Expect: 100-continue
    Accept-Encoding: gzip, deflate
    Response
    HTTP/1.1 200 OK
    Content-Length: 9593
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-HTTPAPI/2.0
    Date: Tue, 24 Dec 2024 08:06:13 GMT
  • flag-us
    DNS
    api.ip.sb
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ip.sb
    IN A
    Response
    api.ip.sb
    IN CNAME
    api.ip.sb.cdn.cloudflare.net
    api.ip.sb.cdn.cloudflare.net
    IN A
    172.67.75.172
    api.ip.sb.cdn.cloudflare.net
    IN A
    104.26.13.31
    api.ip.sb.cdn.cloudflare.net
    IN A
    104.26.12.31
  • flag-us
    GET
    https://api.ip.sb/geoip
    RegSvcs.exe
    Remote address:
    172.67.75.172:443
    Request
    GET /geoip HTTP/1.1
    Host: api.ip.sb
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 24 Dec 2024 08:06:16 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    Cache-Control: no-cache
    access-control-allow-origin: *
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FI4NJ7ztN6elkvTJNVC6idu3gkqX0sf1DhL6SxKDcwM4tiDR2xEQJP3LnrLCOcVoXOPXea%2FN8BhHXoWb6bAJjzLgy54S9D%2BxqT6ZvX0Hlz%2F8yMTcdkRHtEJdYA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Server: cloudflare
    CF-RAY: 8f6f17518c70653e-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=57278&min_rtt=47494&rtt_var=29574&sent=7&recv=7&lost=0&retrans=0&sent_bytes=4511&recv_bytes=348&delivery_rate=113971&cwnd=252&unsent_bytes=0&cid=ac79a9c95a101861&ts=252&x=0"
  • 185.222.58.90:55615
    http://185.222.58.90:55615/
    http
    RegSvcs.exe
    1.3kB
     10.7kB
     12
    13

    HTTP Request

    POST http://185.222.58.90:55615/

    HTTP Response

    200

    HTTP Request

    POST http://185.222.58.90:55615/

    HTTP Response

    200
  • 172.67.75.172:443
    https://api.ip.sb/geoip
    tls, http
    RegSvcs.exe
    750 B
     6.3kB
     9
    10

    HTTP Request

    GET https://api.ip.sb/geoip

    HTTP Response

    200
  • 8.8.8.8:53
    api.ip.sb
    dns
    RegSvcs.exe
    55 B
     145 B
     1
    1

    DNS Request

    api.ip.sb

    DNS Response

    172.67.75.172
    104.26.13.31
    104.26.12.31

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1364-7-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1364-11-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1364-9-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1364-12-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1364-13-0x0000000074CC0000-0x00000000753AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1364-14-0x0000000074CC0000-0x00000000753AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2332-6-0x0000000000E30000-0x0000000001230000-memory.dmp

    Filesize

    4.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.