48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8

General

Target

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe
Size

499KB
MD5

ae5bd5427abf39e70c293654a0175a14
SHA1

c0f033d36921be1633c559a6d81ec6e23248182c
SHA256

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8
SHA512

a47cecb455dda1d08e2ce595fc4d942cf2ff736e4083dd35a38ea3b66c7f462776a03cd27b63ad1c6074aff46aa2862ae758786b5df167ac66cb97ea1a43d824
SSDEEP

6144:1ENSTpgtIVzFPcMnnPXGiNeh7dSwN8nobXquER0u+GIIIIIIIhIIIIIIIIIIIII9:1SSJVzuKvhidS23Mm5i

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

steamwebhelper.exe

pid process

840 steamwebhelper.exe
Loads dropped DLL 1 IoCs

Processes:

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe

pid process

600 48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe

pid	process
840	steamwebhelper.exe

pid	process
600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exesteamwebhelper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\steamwebhelper2\\steamwebhelper.exe"	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\steamwebhelper2\\steamwebhelper.exe"	steamwebhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exesteamwebhelper.exe

pid process

600 48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe
840 steamwebhelper.exe

pid	process
600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe
840	steamwebhelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exesteamwebhelper.exe

description	pid	process
Token: SeDebugPrivilege	600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe
Token: SeDebugPrivilege	840	steamwebhelper.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe

description	pid	process	target process
PID 600 wrote to memory of 840	600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe	steamwebhelper.exe
PID 600 wrote to memory of 840	600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe	steamwebhelper.exe
PID 600 wrote to memory of 840	600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe	steamwebhelper.exe
PID 600 wrote to memory of 840	600	48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe	steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe
"C:\Users\Admin\AppData\Local\Temp\48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
"C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
Filesize
499KB

MD5
ae5bd5427abf39e70c293654a0175a14

SHA1
c0f033d36921be1633c559a6d81ec6e23248182c

SHA256
48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8

SHA512
a47cecb455dda1d08e2ce595fc4d942cf2ff736e4083dd35a38ea3b66c7f462776a03cd27b63ad1c6074aff46aa2862ae758786b5df167ac66cb97ea1a43d824

Download Submit
C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
Filesize
499KB

MD5
ae5bd5427abf39e70c293654a0175a14

SHA1
c0f033d36921be1633c559a6d81ec6e23248182c

SHA256
48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8

SHA512
a47cecb455dda1d08e2ce595fc4d942cf2ff736e4083dd35a38ea3b66c7f462776a03cd27b63ad1c6074aff46aa2862ae758786b5df167ac66cb97ea1a43d824

Download Submit
\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
Filesize
499KB

MD5
ae5bd5427abf39e70c293654a0175a14

SHA1
c0f033d36921be1633c559a6d81ec6e23248182c

SHA256
48d33373df62ac7d58904756c1ec0807e7954bbf9e7ccb314712e313b576aba8

SHA512
a47cecb455dda1d08e2ce595fc4d942cf2ff736e4083dd35a38ea3b66c7f462776a03cd27b63ad1c6074aff46aa2862ae758786b5df167ac66cb97ea1a43d824

Download Submit
memory/600-54-0x00000000000A0000-0x0000000000122000-memory.dmp

Filesize
520KB

Download
memory/600-55-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/600-56-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/600-57-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/840-59-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x0000000000880000-0x0000000000902000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads