3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda

General

Target

3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe
Size

335KB
MD5

05a7ee2530a6d500c4dd281b337885c2
SHA1

21d8862d36f77eacba1d05af97f3b5728e43a978
SHA256

3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda
SHA512

95b9cdab855e376fae1419f76e6a3a765f887994b53cdbbf82a4c3ab358788328453b946cdadcab9c4fdd6ad6a7de7284b08bfbfa18cb5534ac961afc3ebaca0
SSDEEP

6144:CLEXzo+jMxfEDUdt9eQn5r75fJ7RmGHFuxRHUQjf8XFq2G:4P3f9dt9eQn9HL8R00WFqx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

steamwebhelper.exe

pid process

2004 steamwebhelper.exe

pid	process
2004	steamwebhelper.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exesteamwebhelper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\steamwebhelper2\\steamwebhelper.exe"	3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\steamwebhelper2\\steamwebhelper.exe"	steamwebhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exesteamwebhelper.exe

pid process

904 3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe
2004 steamwebhelper.exe

pid	process
904	3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe
2004	steamwebhelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exesteamwebhelper.exe

description	pid	process
Token: SeDebugPrivilege	904	3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe
Token: SeDebugPrivilege	2004	steamwebhelper.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe

description	pid	process	target process
PID 904 wrote to memory of 2004	904	3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe	steamwebhelper.exe
PID 904 wrote to memory of 2004	904	3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe	steamwebhelper.exe
PID 904 wrote to memory of 2004	904	3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe	steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe
"C:\Users\Admin\AppData\Local\Temp\3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
"C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
Filesize
335KB

MD5
05a7ee2530a6d500c4dd281b337885c2

SHA1
21d8862d36f77eacba1d05af97f3b5728e43a978

SHA256
3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda

SHA512
95b9cdab855e376fae1419f76e6a3a765f887994b53cdbbf82a4c3ab358788328453b946cdadcab9c4fdd6ad6a7de7284b08bfbfa18cb5534ac961afc3ebaca0

Download Submit
C:\Users\Admin\AppData\Roaming\steamwebhelper2\steamwebhelper.exe
Filesize
335KB

MD5
05a7ee2530a6d500c4dd281b337885c2

SHA1
21d8862d36f77eacba1d05af97f3b5728e43a978

SHA256
3513c77c2c1c48bfb1ea3fd7af85bf93495173250868f5e5fb563811bc0f3fda

SHA512
95b9cdab855e376fae1419f76e6a3a765f887994b53cdbbf82a4c3ab358788328453b946cdadcab9c4fdd6ad6a7de7284b08bfbfa18cb5534ac961afc3ebaca0

Download Submit
memory/904-54-0x0000000000B00000-0x0000000000B5A000-memory.dmp

Filesize
360KB

Download
memory/904-55-0x0000000000550000-0x0000000000586000-memory.dmp

Filesize
216KB

Download
memory/904-56-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/904-57-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/904-61-0x000000001AF66000-0x000000001AF85000-memory.dmp

Filesize
124KB

Download
memory/904-65-0x000000001AF66000-0x000000001AF85000-memory.dmp

Filesize
124KB

Download
memory/2004-58-0x0000000000000000-mapping.dmp

Download
memory/2004-62-0x0000000000030000-0x000000000008A000-memory.dmp

Filesize
360KB

Download
memory/2004-64-0x000000001AB96000-0x000000001ABB5000-memory.dmp

Filesize
124KB

Download
memory/2004-66-0x000000001AB96000-0x000000001ABB5000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads