Analysis
-
max time kernel
125s -
max time network
132s -
platform
windows10_x64 -
resource
win10 -
submitted
01-08-2020 19:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
Resource
win10
General
-
Target
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
-
Size
729KB
-
MD5
532524e6b61b197d92f3bd4ed3331d3d
-
SHA1
f1009c96203862812cefa14e186dcff610ccc634
-
SHA256
3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
-
SHA512
5b83ef335563332bb62445ce0d180db0544b793a88b60efb122c990bfe5c00f6bbe5ed5e0437bf59415b989d85f85060434d6aa7b4c1a465672298c142079e03
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3700 368 WerFault.exe OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exeOfficeClickToRun.exeWerFault.exepid process 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe 368 OfficeClickToRun.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exedescription pid process target process PID 3524 wrote to memory of 3600 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 3600 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 4004 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 4004 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 424 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 424 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 3060 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 3060 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 556 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 556 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 816 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 816 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe schtasks.exe PID 3524 wrote to memory of 368 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe OfficeClickToRun.exe PID 3524 wrote to memory of 368 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe OfficeClickToRun.exe -
Executes dropped EXE 1 IoCs
Processes:
OfficeClickToRun.exepid process 368 OfficeClickToRun.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3600 schtasks.exe 4004 schtasks.exe 424 schtasks.exe 3060 schtasks.exe 556 schtasks.exe 816 schtasks.exe -
Drops file in Program Files directory 4 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\9cd96063a4b7200751962b993f6669af37511c85 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe File created C:\Program Files (x86)\Windows Mail\svchost.exe SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe File created C:\Program Files (x86)\Windows Mail\f4d236fdec2fd03914189c3b26e5cb0dfea9d761 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exedescription ioc process File created C:\Windows\appcompat\svchost.exe SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe File created C:\Windows\appcompat\f4d236fdec2fd03914189c3b26e5cb0dfea9d761 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exeOfficeClickToRun.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3524 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe Token: SeDebugPrivilege 368 OfficeClickToRun.exe Token: SeDebugPrivilege 3700 WerFault.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3700 created 368 3700 WerFault.exe OfficeClickToRun.exe -
ServiceHost packer 14 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/368-12-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-13-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-14-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-16-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-15-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-17-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-18-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-19-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-20-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-21-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-22-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-23-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-24-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/368-25-0x0000000000000000-mapping.dmp servicehost
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\svchost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Windows\appcompat\svchost.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\odt\OfficeClickToRun.exe"C:\odt\OfficeClickToRun.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 368 -s 14763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\odt\OfficeClickToRun.exe
-
C:\odt\OfficeClickToRun.exe
-
memory/368-13-0x0000000000000000-mapping.dmp
-
memory/368-6-0x0000000000000000-mapping.dmp
-
memory/368-16-0x0000000000000000-mapping.dmp
-
memory/368-25-0x0000000000000000-mapping.dmp
-
memory/368-15-0x0000000000000000-mapping.dmp
-
memory/368-24-0x0000000000000000-mapping.dmp
-
memory/368-23-0x0000000000000000-mapping.dmp
-
memory/368-17-0x0000000000000000-mapping.dmp
-
memory/368-22-0x0000000000000000-mapping.dmp
-
memory/368-12-0x0000000000000000-mapping.dmp
-
memory/368-21-0x0000000000000000-mapping.dmp
-
memory/368-14-0x0000000000000000-mapping.dmp
-
memory/368-20-0x0000000000000000-mapping.dmp
-
memory/368-19-0x0000000000000000-mapping.dmp
-
memory/368-18-0x0000000000000000-mapping.dmp
-
memory/424-2-0x0000000000000000-mapping.dmp
-
memory/556-4-0x0000000000000000-mapping.dmp
-
memory/816-5-0x0000000000000000-mapping.dmp
-
memory/3060-3-0x0000000000000000-mapping.dmp
-
memory/3600-0-0x0000000000000000-mapping.dmp
-
memory/3700-9-0x00000252BE140000-0x00000252BE141000-memory.dmpFilesize
4KB
-
memory/3700-10-0x00000252BE140000-0x00000252BE141000-memory.dmpFilesize
4KB
-
memory/3700-26-0x00000252BEFB0000-0x00000252BEFB1000-memory.dmpFilesize
4KB
-
memory/3700-27-0x00000252BEFB0000-0x00000252BEFB1000-memory.dmpFilesize
4KB
-
memory/4004-1-0x0000000000000000-mapping.dmp