Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/02/2025, 22:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Evo-gen.12305.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.Evo-gen.12305.exe
Resource
win10v2004-20250207-en
General
-
Target
SecuriteInfo.com.Win32.Evo-gen.12305.exe
-
Size
1.7MB
-
MD5
5937ca40bd9145c27e123daaa40b1266
-
SHA1
455fa1eec4efa958f29ec41f0e1bb9328ae0a2ab
-
SHA256
a38c2f09dfc1e0b8d2bbc90cd734cda433079488ac3f8520535c51dfcdf4836a
-
SHA512
68bf97fb2b685b5bbcd729b199bfc2f9a0bccdbbd30ea2d3c4cd93cf63437959a0469e73415d59b5bcbc760569eda27e4101dc7895637c6165f05ab0af3ebfde
-
SSDEEP
24576:0MqYqSIKFeubKl99mF9wN6zOl8lB5RbMB1b0FThwrUYqsH/f7oALa9X+:VqYxFTW9w/RzC8H5WB1bAjYUALQX+
Malware Config
Extracted
redline
cheat
103.214.142.152:26264
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
SectopRAT payload 2 IoCs
resource yara_rule behavioral1/memory/2424-1-0x0000000000860000-0x0000000000CDE000-memory.dmp family_sectoprat behavioral1/memory/2424-2-0x0000000000860000-0x0000000000CDE000-memory.dmp family_sectoprat -
Sectoprat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SecuriteInfo.com.Win32.Evo-gen.12305.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Win32.Evo-gen.12305.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Win32.Evo-gen.12305.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine SecuriteInfo.com.Win32.Evo-gen.12305.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2424 SecuriteInfo.com.Win32.Evo-gen.12305.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.Win32.Evo-gen.12305.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2424 SecuriteInfo.com.Win32.Evo-gen.12305.exe 2424 SecuriteInfo.com.Win32.Evo-gen.12305.exe 2424 SecuriteInfo.com.Win32.Evo-gen.12305.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2424 SecuriteInfo.com.Win32.Evo-gen.12305.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.12305.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.12305.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD56d9ead954a1d55a4b7b9a23d96bb545e
SHA1b55a31428681654b9bc4f428fc4c07fa7244760f
SHA256eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c
SHA512b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322
-
Filesize
21KB
MD5b667576507cbfb0217aebc4ca620c42b
SHA1140a93b108f7a899ca60cad3470540a4b9839da3
SHA256a23d6f533e21b4ff4f612687dd1021e464a5d58d3aed18c2f094d115719fa7fa
SHA5122997503a8317ce349ca12d727d5194de6faf5e30ad461010005c28cbfacf9cbc06c7bccd16781cf721db93ad35214a03e7cd7a5df453c98a22090e91e1d9debf
-
Filesize
18KB
MD53dd8d347972718a49206e03122543e42
SHA146d8cb094b821c8ac3dd5b09b6725823415e5e8b
SHA256d9dcae95087e5a5f0dbd67ad893fbbfd16697a6a41594d625ce3b9e6d0f67a19
SHA5126231097cb3b41adaab04df1288f746e8f8c1bac46a3e593d0c1825c09e50318e3bb7edd0850b8c294a92c5abf25d1560d0b5c252a5556403f2aea8d2d02a13c0
-
Filesize
17KB
MD56e15d56ac1e93a781e2191996082edd9
SHA11eb2a470a584b923977666e5dc24e52261c4e417
SHA256e66dba7c64d93b519c4926fe287f512f849cf06a8b473a203e395d54c0ad55cb
SHA5124001c79f6e5c9de44289e742a4d075ba2634188a4b10fc2bd2a024c781caf3075ea273e3011f54225bf08e4e921d8f9f1868a1c9a53c4a19a19efb85a0cf0eb6
-
Filesize
12KB
MD5a53658d3e36cc30144c956bd97f27e4b
SHA1e5a77cc48f84ffbb1a22043945ee82e4b9f08ca8
SHA2567c1d0f0b25d7924920e4628cfbd91b4e2086fe1fd57fb7c90514b0d0f499672f
SHA512f8c792ac774ae2a3f1be6baf53df5887731827674d0964908ff7d9ec1acbcd08483ee1368aff03fe09ab7b7dbc0ba7695af22bdfd52c84e90c77d55a149aa1a6
-
Filesize
18KB
MD52bbddff61d884d3a465425f66963fd8a
SHA1f56c7353aa70c971800b7597d316d4590bc4fa44
SHA256d4c500c59efb66f0316cd1f6cc8f5522271434c1900847102041d1949fdb6026
SHA5122ad364cac827261df282fe817b966ae7274b89e9395284c1149c93922dd3b411569e89db905cbacdacfd0c8d8d046b77ea8670bf983b4d470cff9873a939177f
-
Filesize
16KB
MD57422ef547348f1a21ee48ea804e4ca5f
SHA1eda4582a984ec30d2c7b657977ee13ad44872c02
SHA25611a63ef3da7ba3271368f665c46b07b006968a230645610aaac56e58deefe2ad
SHA5127ecfc5ee48785b4f4717e3ae6d9c0729d67780227ce0ee751eb64857a7da15313252da757f0719238e7c69fc616ece4d0f0f4be9e5200f32b5f0357003de43b8
-
Filesize
19KB
MD5624e23d35c94d8b01c82b1216a080e5c
SHA1550505ba05178deb566f28a03f726e680de73680
SHA256203accf3537c9a28946bfa63572c8ebfe93f9b86c5af9626d523ad3d696b631d
SHA5121b29039a58523a68c4749e3efaee4f272f45358f14e2fcdd47dcfa418e8acec4773f5ca0b0d4c41566bc8665f21ba496601f86368f1b261a3ca02c7ac670ebb4