Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Cooperbuild34.exe

windows7-x64

10

Cooperbuild34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cooperbuild34.exe

  • Size

    7.0MB

  • MD5

    556555f19852e8685dc8d465ef09b815

  • SHA1

    3e1e81c632d97922df7b23ca6f4d1c2eaab303ea

  • SHA256

    18cdbd760961bbe45ab6dac098badab8556e5c28cd24744c58f84eb3255da992

  • SHA512

    0e8e7e3829651c49b518adb2d8e85821bc721412376988d7ec441e40711bf016077e32a31f9e5f82ae55d40a08b5a1f5429906b00c751afd8a961e9a83b702bd

  • SSDEEP

    196608:bMbuV25DeTD+oqzukSIlLtIY79n8SI75bWAXAkuujCPX9YG9he5GnQCAJKNc:8A403qakSoR7tfI7ZtXADu8X9Y95GQLJ

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot1616004787:AAH60oNqVa82nffKp0gB2yn5A_jmiTy0_XY/sendMessage?chat_id=

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Stealerium family
    stealerium
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cooperbuild34.exe
    "C:\Users\Admin\AppData\Local\Temp\Cooperbuild34.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e3d0bdf8-c626-406c-8d93-c21ea4ef4bf3.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:208
        • C:\Windows\system32\taskkill.exe
          taskkill /F /PID 4372
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4100
        • C:\Windows\system32\timeout.exe
          timeout /T 2 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\e3d0bdf8-c626-406c-8d93-c21ea4ef4bf3.bat
      Filesize

      152B

      MD5

      b9fe333a3923d09bcc502f08edec936e

      SHA1

      d260213d73ad12573b4f60ac79fdd506dd99a6ae

      SHA256

      bbdfdfd6f277e18e73fd9026917ca535fe53fd6f842b1c82fcf764eb9127f7a6

      SHA512

      b370057cb0726be9260d9605b191bb558dacbbf289be68cbfac8bdcd68c4efb2e40d5f455e4c83f4eb9ea30e5a0326052a658466c4543a6b87813386596a5908

      Download Submit

    • memory/4372-0-0x00007FFF4DC63000-0x00007FFF4DC65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4372-1-0x000001AAABE20000-0x000001AAAC52E000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/4372-2-0x00007FFF4DC60000-0x00007FFF4E721000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4372-7-0x00007FFF4DC60000-0x00007FFF4E721000-memory.dmp

      Filesize

      10.8MB

      Download