Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

18cdbd7609...92.exe

windows7-x64

10

18cdbd7609...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2025, 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18cdbd760961bbe45ab6dac098badab8556e5c28cd24744c58f84eb3255da992.exe

  • Size

    7.0MB

  • MD5

    556555f19852e8685dc8d465ef09b815

  • SHA1

    3e1e81c632d97922df7b23ca6f4d1c2eaab303ea

  • SHA256

    18cdbd760961bbe45ab6dac098badab8556e5c28cd24744c58f84eb3255da992

  • SHA512

    0e8e7e3829651c49b518adb2d8e85821bc721412376988d7ec441e40711bf016077e32a31f9e5f82ae55d40a08b5a1f5429906b00c751afd8a961e9a83b702bd

  • SSDEEP

    196608:bMbuV25DeTD+oqzukSIlLtIY79n8SI75bWAXAkuujCPX9YG9he5GnQCAJKNc:8A403qakSoR7tfI7ZtXADu8X9Y95GQLJ

Score
10/10
stealeriumstealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot1616004787:AAH60oNqVa82nffKp0gB2yn5A_jmiTy0_XY/sendMessage?chat_id=

Signatures

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Stealerium family
    stealerium
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18cdbd760961bbe45ab6dac098badab8556e5c28cd24744c58f84eb3255da992.exe
    "C:\Users\Admin\AppData\Local\Temp\18cdbd760961bbe45ab6dac098badab8556e5c28cd24744c58f84eb3255da992.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\272f551f-b9c5-49c7-9d83-a98326ffca33.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1596
        • C:\Windows\system32\taskkill.exe
          taskkill /F /PID 4432
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
        • C:\Windows\system32\timeout.exe
          timeout /T 2 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\272f551f-b9c5-49c7-9d83-a98326ffca33.bat
      Filesize

      152B

      MD5

      69b16da13a19e1fd47d785d3e8e4f5fb

      SHA1

      f56be91653b5cd02c66cde01f15dc988e2fe5b1c

      SHA256

      43b7b6b0687b9564593a8b0bff127122bad8c17acd8738d3d86330eb2d3e570a

      SHA512

      0ebbad89efaab2b902e244a088b1f891b1fc6f99c9f36c8caeea0f103fcb53157783abac66bb793a010770a9860fdd804237faae3222b4d13d14ac301ea07730

      Download Submit

    • memory/4432-0-0x00007FFB5CB53000-0x00007FFB5CB55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4432-1-0x0000023C12570000-0x0000023C12C7E000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/4432-2-0x00007FFB5CB50000-0x00007FFB5D611000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4432-7-0x00007FFB5CB50000-0x00007FFB5D611000-memory.dmp

      Filesize

      10.8MB

      Download