3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd

General

Target

SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
Size

729KB
MD5

532524e6b61b197d92f3bd4ed3331d3d
SHA1

f1009c96203862812cefa14e186dcff610ccc634
SHA256

3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
SHA512

5b83ef335563332bb62445ce0d180db0544b793a88b60efb122c990bfe5c00f6bbe5ed5e0437bf59415b989d85f85060434d6aa7b4c1a465672298c142079e03

Score

10^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 368 WerFault.exe OfficeClickToRun.exe

pid	pid_target	process	target process
3700	368	WerFault.exe	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exeOfficeClickToRun.exeWerFault.exe

pid	process
3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
368	OfficeClickToRun.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe
3700	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe

description	pid	process	target process
PID 3524 wrote to memory of 3600	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 3600	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 4004	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 4004	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 424	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 424	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 3060	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 3060	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 556	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 556	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 816	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 816	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	schtasks.exe
PID 3524 wrote to memory of 368	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	OfficeClickToRun.exe
PID 3524 wrote to memory of 368	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	OfficeClickToRun.exe

Executes dropped EXE 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

368 OfficeClickToRun.exe
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3600 schtasks.exe
4004 schtasks.exe
424 schtasks.exe
3060 schtasks.exe
556 schtasks.exe
816 schtasks.exe

pid	process
368	OfficeClickToRun.exe

pid	process
3600	schtasks.exe
4004	schtasks.exe
424	schtasks.exe
3060	schtasks.exe
556	schtasks.exe
816	schtasks.exe

Drops file in Program Files directory 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\9cd96063a4b7200751962b993f6669af37511c85	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
File created	C:\Program Files (x86)\Windows Mail\svchost.exe	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
File created	C:\Program Files (x86)\Windows Mail\f4d236fdec2fd03914189c3b26e5cb0dfea9d761	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe

Drops file in Windows directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe

description	ioc	process
File created	C:\Windows\appcompat\svchost.exe	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
File created	C:\Windows\appcompat\f4d236fdec2fd03914189c3b26e5cb0dfea9d761	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exeOfficeClickToRun.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3524	SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
Token: SeDebugPrivilege	368	OfficeClickToRun.exe
Token: SeDebugPrivilege	3700	WerFault.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3700 created 368 3700 WerFault.exe OfficeClickToRun.exe

description	pid	process	target process
PID 3700 created 368	3700	WerFault.exe	OfficeClickToRun.exe

ServiceHost packer 14 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/368-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-16-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-15-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-17-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/368-25-0x0000000000000000-mapping.dmp	servicehost

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:424

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\svchost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Windows\appcompat\svchost.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:556

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:816

C:\odt\OfficeClickToRun.exe
"C:\odt\OfficeClickToRun.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 368 -s 1476
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\OfficeClickToRun.exe

Download Submit
C:\odt\OfficeClickToRun.exe

Download Submit
memory/368-13-0x0000000000000000-mapping.dmp

Download
memory/368-6-0x0000000000000000-mapping.dmp

Download
memory/368-16-0x0000000000000000-mapping.dmp

Download
memory/368-25-0x0000000000000000-mapping.dmp

Download
memory/368-15-0x0000000000000000-mapping.dmp

Download
memory/368-24-0x0000000000000000-mapping.dmp

Download
memory/368-23-0x0000000000000000-mapping.dmp

Download
memory/368-17-0x0000000000000000-mapping.dmp

Download
memory/368-22-0x0000000000000000-mapping.dmp

Download
memory/368-12-0x0000000000000000-mapping.dmp

Download
memory/368-21-0x0000000000000000-mapping.dmp

Download
memory/368-14-0x0000000000000000-mapping.dmp

Download
memory/368-20-0x0000000000000000-mapping.dmp

Download
memory/368-19-0x0000000000000000-mapping.dmp

Download
memory/368-18-0x0000000000000000-mapping.dmp

Download
memory/424-2-0x0000000000000000-mapping.dmp

Download
memory/556-4-0x0000000000000000-mapping.dmp

Download
memory/816-5-0x0000000000000000-mapping.dmp

Download
memory/3060-3-0x0000000000000000-mapping.dmp

Download
memory/3600-0-0x0000000000000000-mapping.dmp

Download
memory/3700-9-0x00000252BE140000-0x00000252BE141000-memory.dmp

Filesize
4KB

Download
memory/3700-10-0x00000252BE140000-0x00000252BE141000-memory.dmp

Filesize
4KB

Download
memory/3700-26-0x00000252BEFB0000-0x00000252BEFB1000-memory.dmp

Filesize
4KB

Download
memory/3700-27-0x00000252BEFB0000-0x00000252BEFB1000-memory.dmp

Filesize
4KB

Download
memory/4004-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads