Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Cooperbuild34.exe

windows7-x64

10

Cooperbuild34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cooperbuild34.exe

  • Size

    7.0MB

  • MD5

    556555f19852e8685dc8d465ef09b815

  • SHA1

    3e1e81c632d97922df7b23ca6f4d1c2eaab303ea

  • SHA256

    18cdbd760961bbe45ab6dac098badab8556e5c28cd24744c58f84eb3255da992

  • SHA512

    0e8e7e3829651c49b518adb2d8e85821bc721412376988d7ec441e40711bf016077e32a31f9e5f82ae55d40a08b5a1f5429906b00c751afd8a961e9a83b702bd

  • SSDEEP

    196608:bMbuV25DeTD+oqzukSIlLtIY79n8SI75bWAXAkuujCPX9YG9he5GnQCAJKNc:8A403qakSoR7tfI7ZtXADu8X9Y95GQLJ

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot1616004787:AAH60oNqVa82nffKp0gB2yn5A_jmiTy0_XY/sendMessage?chat_id=

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Stealerium family
    stealerium
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cooperbuild34.exe
    "C:\Users\Admin\AppData\Local\Temp\Cooperbuild34.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9c86b95a-a76d-4dd6-8a4b-63d2106be58f.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5820
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1328
        • C:\Windows\system32\taskkill.exe
          taskkill /F /PID 4828
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Windows\system32\timeout.exe
          timeout /T 2 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:3912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9c86b95a-a76d-4dd6-8a4b-63d2106be58f.bat
      Filesize

      152B

      MD5

      5177fd1761d42d1aad35da64c355db37

      SHA1

      b48c8785f43f65425d2d0d1b825ad497c1bb0703

      SHA256

      b5137698e167e822092c3929918964f72a79f8ef5fc2e65afa3341df1a8f33d7

      SHA512

      31e83191f4334b97ba468b6e6785c28994cd3b51d504ed1d122cd691c5a07b4d10e3fd9ddcef95d54237d11ad93fbc2dcb932365b20e1e2161d8f3ce04a170f1

      Download Submit

    • memory/4828-0-0x00007FFFDCDE3000-0x00007FFFDCDE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4828-1-0x0000012F43D40000-0x0000012F4444E000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/4828-2-0x00007FFFDCDE0000-0x00007FFFDD8A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4828-7-0x00007FFFDCDE0000-0x00007FFFDD8A1000-memory.dmp

      Filesize

      10.8MB

      Download