Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10/02/2025, 22:49

General

  • Target

    SecuriteInfo.com.Win32.Evo-gen.12305.exe

  • Size

    1.7MB

  • MD5

    5937ca40bd9145c27e123daaa40b1266

  • SHA1

    455fa1eec4efa958f29ec41f0e1bb9328ae0a2ab

  • SHA256

    a38c2f09dfc1e0b8d2bbc90cd734cda433079488ac3f8520535c51dfcdf4836a

  • SHA512

    68bf97fb2b685b5bbcd729b199bfc2f9a0bccdbbd30ea2d3c4cd93cf63437959a0469e73415d59b5bcbc760569eda27e4101dc7895637c6165f05ab0af3ebfde

  • SSDEEP

    24576:0MqYqSIKFeubKl99mF9wN6zOl8lB5RbMB1b0FThwrUYqsH/f7oALa9X+:VqYxFTW9w/RzC8H5WB1bAjYUALQX+

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

103.214.142.152:26264

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Redline family
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Sectoprat family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.12305.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.12305.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2483.tmp

    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

  • C:\Users\Admin\AppData\Local\Temp\tmp24B8.tmp

    Filesize

    92KB

    MD5

    6d9ead954a1d55a4b7b9a23d96bb545e

    SHA1

    b55a31428681654b9bc4f428fc4c07fa7244760f

    SHA256

    eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c

    SHA512

    b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322

  • C:\Users\Admin\AppData\Local\Temp\tmp2A05.tmp

    Filesize

    21KB

    MD5

    b667576507cbfb0217aebc4ca620c42b

    SHA1

    140a93b108f7a899ca60cad3470540a4b9839da3

    SHA256

    a23d6f533e21b4ff4f612687dd1021e464a5d58d3aed18c2f094d115719fa7fa

    SHA512

    2997503a8317ce349ca12d727d5194de6faf5e30ad461010005c28cbfacf9cbc06c7bccd16781cf721db93ad35214a03e7cd7a5df453c98a22090e91e1d9debf

  • C:\Users\Admin\AppData\Local\Temp\tmp2A06.tmp

    Filesize

    18KB

    MD5

    3dd8d347972718a49206e03122543e42

    SHA1

    46d8cb094b821c8ac3dd5b09b6725823415e5e8b

    SHA256

    d9dcae95087e5a5f0dbd67ad893fbbfd16697a6a41594d625ce3b9e6d0f67a19

    SHA512

    6231097cb3b41adaab04df1288f746e8f8c1bac46a3e593d0c1825c09e50318e3bb7edd0850b8c294a92c5abf25d1560d0b5c252a5556403f2aea8d2d02a13c0

  • C:\Users\Admin\AppData\Local\Temp\tmp2A26.tmp

    Filesize

    17KB

    MD5

    6e15d56ac1e93a781e2191996082edd9

    SHA1

    1eb2a470a584b923977666e5dc24e52261c4e417

    SHA256

    e66dba7c64d93b519c4926fe287f512f849cf06a8b473a203e395d54c0ad55cb

    SHA512

    4001c79f6e5c9de44289e742a4d075ba2634188a4b10fc2bd2a024c781caf3075ea273e3011f54225bf08e4e921d8f9f1868a1c9a53c4a19a19efb85a0cf0eb6

  • C:\Users\Admin\AppData\Local\Temp\tmp2A4C.tmp

    Filesize

    12KB

    MD5

    a53658d3e36cc30144c956bd97f27e4b

    SHA1

    e5a77cc48f84ffbb1a22043945ee82e4b9f08ca8

    SHA256

    7c1d0f0b25d7924920e4628cfbd91b4e2086fe1fd57fb7c90514b0d0f499672f

    SHA512

    f8c792ac774ae2a3f1be6baf53df5887731827674d0964908ff7d9ec1acbcd08483ee1368aff03fe09ab7b7dbc0ba7695af22bdfd52c84e90c77d55a149aa1a6

  • C:\Users\Admin\AppData\Local\Temp\tmp2A60.tmp

    Filesize

    18KB

    MD5

    2bbddff61d884d3a465425f66963fd8a

    SHA1

    f56c7353aa70c971800b7597d316d4590bc4fa44

    SHA256

    d4c500c59efb66f0316cd1f6cc8f5522271434c1900847102041d1949fdb6026

    SHA512

    2ad364cac827261df282fe817b966ae7274b89e9395284c1149c93922dd3b411569e89db905cbacdacfd0c8d8d046b77ea8670bf983b4d470cff9873a939177f

  • C:\Users\Admin\AppData\Local\Temp\tmp2A71.tmp

    Filesize

    16KB

    MD5

    7422ef547348f1a21ee48ea804e4ca5f

    SHA1

    eda4582a984ec30d2c7b657977ee13ad44872c02

    SHA256

    11a63ef3da7ba3271368f665c46b07b006968a230645610aaac56e58deefe2ad

    SHA512

    7ecfc5ee48785b4f4717e3ae6d9c0729d67780227ce0ee751eb64857a7da15313252da757f0719238e7c69fc616ece4d0f0f4be9e5200f32b5f0357003de43b8

  • C:\Users\Admin\AppData\Local\Temp\tmp2A72.tmp

    Filesize

    19KB

    MD5

    624e23d35c94d8b01c82b1216a080e5c

    SHA1

    550505ba05178deb566f28a03f726e680de73680

    SHA256

    203accf3537c9a28946bfa63572c8ebfe93f9b86c5af9626d523ad3d696b631d

    SHA512

    1b29039a58523a68c4749e3efaee4f272f45358f14e2fcdd47dcfa418e8acec4773f5ca0b0d4c41566bc8665f21ba496601f86368f1b261a3ca02c7ac670ebb4

  • memory/2424-4-0x0000000000860000-0x0000000000CDE000-memory.dmp

    Filesize

    4.5MB

  • memory/2424-2-0x0000000000860000-0x0000000000CDE000-memory.dmp

    Filesize

    4.5MB

  • memory/2424-1-0x0000000000860000-0x0000000000CDE000-memory.dmp

    Filesize

    4.5MB

  • memory/2424-0-0x0000000000860000-0x0000000000CDE000-memory.dmp

    Filesize

    4.5MB