Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2025, 00:09
Behavioral task
behavioral1
Sample
Stealerium/Stealerium.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Stealerium/Stealerium.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Stealerium/install.bat
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Stealerium/install.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Stealerium/install_python.bat
Resource
win7-20240708-en
General
-
Target
Stealerium/install_python.bat
-
Size
687B
-
MD5
821f007d1c56bb3f4511bab928ce8f63
-
SHA1
a22b0d76f5ef0e145629dded82e195486675774a
-
SHA256
434f9d4a2a7a5088aa393b47ad8e957a15481cd3078f10b3c0f7ec6fe5f497c2
-
SHA512
f1db8db20e25d8d06828ead22e70a28411bf32faa7dd14816ef833efe548a046e9383cb51aa100d49555f2cc9c1f74bf10aef871a0e6724da5f96c690770dd4d
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2864 powershell.exe -
pid Process 2864 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation python-installer.exe -
Executes dropped EXE 3 IoCs
pid Process 4168 python-installer.exe 3824 python-installer.exe 1468 python-3.10.9-amd64.exe -
Loads dropped DLL 1 IoCs
pid Process 3824 python-installer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-3.10.9-amd64.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2864 powershell.exe 2864 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2864 powershell.exe Token: SeBackupPrivilege 1644 vssvc.exe Token: SeRestorePrivilege 1644 vssvc.exe Token: SeAuditPrivilege 1644 vssvc.exe Token: SeBackupPrivilege 4940 srtasks.exe Token: SeRestorePrivilege 4940 srtasks.exe Token: SeSecurityPrivilege 4940 srtasks.exe Token: SeTakeOwnershipPrivilege 4940 srtasks.exe Token: SeBackupPrivilege 4940 srtasks.exe Token: SeRestorePrivilege 4940 srtasks.exe Token: SeSecurityPrivilege 4940 srtasks.exe Token: SeTakeOwnershipPrivilege 4940 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3824 python-installer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2524 wrote to memory of 4524 2524 cmd.exe 83 PID 2524 wrote to memory of 4524 2524 cmd.exe 83 PID 4524 wrote to memory of 2864 4524 cmd.exe 84 PID 4524 wrote to memory of 2864 4524 cmd.exe 84 PID 2524 wrote to memory of 2544 2524 cmd.exe 85 PID 2524 wrote to memory of 2544 2524 cmd.exe 85 PID 2524 wrote to memory of 4168 2524 cmd.exe 94 PID 2524 wrote to memory of 4168 2524 cmd.exe 94 PID 2524 wrote to memory of 4168 2524 cmd.exe 94 PID 4168 wrote to memory of 3824 4168 python-installer.exe 95 PID 4168 wrote to memory of 3824 4168 python-installer.exe 95 PID 4168 wrote to memory of 3824 4168 python-installer.exe 95 PID 3824 wrote to memory of 1468 3824 python-installer.exe 96 PID 3824 wrote to memory of 1468 3824 python-installer.exe 96 PID 3824 wrote to memory of 1468 3824 python-installer.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stealerium\install_python.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
C:\Windows\system32\curl.execurl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe2⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\Stealerium\python-installer.exepython-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\Temp\{20AA212D-1E14-435C-A1B7-CB22EF261A78}\.cr\python-installer.exe"C:\Windows\Temp\{20AA212D-1E14-435C-A1B7-CB22EF261A78}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Stealerium\python-installer.exe" -burn.filehandle.attached=560 -burn.filehandle.self=556 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=03⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\Temp\{FEF74E6D-4A5D-4259-A427-91E35E0C12FE}\.be\python-3.10.9-amd64.exe"C:\Windows\Temp\{FEF74E6D-4A5D-4259-A427-91E35E0C12FE}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{3EE3F4F8-A199-4BAA-9D42-116ABE4524F6} {8A331752-D324-4C7D-9C68-C14D1CD21A36} 38244⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27.6MB
MD5dce578fe177892488cadb6c34aea58ee
SHA1e562807ddd0bc8366d936ce72684ce2b6630e297
SHA256b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d
SHA5128858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
849KB
MD5d988448411dc7548332378f7f61508a4
SHA134989539914256ea9f6d691236039d806be6f7ca
SHA256ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66
SHA512eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97
-
Filesize
650KB
MD564d1e3b44bfce17b6a43e9ca200bfaa2
SHA12617a95208a578c63653b76506b27e36a1ee6bba
SHA256c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899
SHA512002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77
-
Filesize
50KB
MD5888eb713a0095756252058c9727e088a
SHA1c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA25679434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA5127c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0