Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

filw.exe

windows7-x64

10

filw.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2025, 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    filw.exe

  • Size

    6.1MB

  • MD5

    a5dc5dfb3d20c67a35c1ee67e010fc7b

  • SHA1

    94694b8cf4d9558014f78037e1fd6fcfe4ddd4e3

  • SHA256

    1d810a842c4a71e7490f0a88bb9b0d3c82b084147e73fb2e4ef3c32456055d04

  • SHA512

    e8c552eff3537974ef552cf500f7c1060c5bff409fdc8ff34f98544f27afa86fb15edd0930a3b9a699977c452c2115697354772d1b4e0f095744cf7491cc9a48

  • SSDEEP

    196608:RaiSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:QkSopwtQQl2aOtXADu8X9Y95GQLJ

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage?chat_id=

Attributes

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Stealerium family
    stealerium
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\filw.exe
    "C:\Users\Admin\AppData\Local\Temp\filw.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5681d309-672c-4f50-83d9-c8c5651b87d7.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2480
        • C:\Windows\system32\taskkill.exe
          taskkill /F /PID 2324
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2020
        • C:\Windows\system32\timeout.exe
          timeout /T 2 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:1640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5681d309-672c-4f50-83d9-c8c5651b87d7.bat
      Filesize

      152B

      MD5

      94139215c385547f7b71e2af1067bef6

      SHA1

      a17f70dfd8de566f9e74501855aeb3dce288b3f3

      SHA256

      9282bd493fd011203a179672e198488b075b90da31fc67d40a0b49643563ebe5

      SHA512

      ae909325cd61a444c7228a5d6f187f7e93af637212202c10ce263f19442544fa2c49a03467343774f1e5137727a68837cbe5a22f2807057d49f643dc5ae0b15a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabEEB4.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarEEC7.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • memory/2324-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-1-0x0000000000A50000-0x0000000001068000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2324-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2324-134-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2324-135-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2324-263-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

      Filesize

      9.9MB

      Download