Analysis
-
max time kernel
13s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 19:41
Static task
static1
Behavioral task
behavioral1
Sample
steam.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
steam.exe
Resource
macos-20220504-en
Behavioral task
behavioral3
Sample
steam.exe
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral4
Sample
steam.exe
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral5
Sample
steam.exe
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral6
Sample
steam.exe
Resource
debian9-mipsel-en-20211208
Errors
General
-
Target
steam.exe
-
Size
11KB
-
MD5
6a0c09c176405806a623c080866cf8fa
-
SHA1
32b9260716481763255b5b995cb2b1a991509db7
-
SHA256
170215feaa262397dbf210a86235fe2df1497539e1645961d24efcc6fea110aa
-
SHA512
a3b16f0d0c3a8be9df8803fc70550b233a701b48f763739c71c2f636520ea60babe2360eca8a042d5469a53a09930e6c5536ee98d6143a81829cd6d9a763a87e
-
SSDEEP
192:aLQbtN4sBtNdaLixVupSiP/VunlYJLLLTuTvLvLvLvLvLvLvLvLvLvgQGSs5cqGE:aLQz4QzdaLiu3hPLTuTvLvLvLvLvLvLB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
steam.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation steam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" LogonUI.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 4044 shutdown.exe Token: SeRemoteShutdownPrivilege 4044 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2404 LogonUI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
steam.execmd.exenet.exedescription pid process target process PID 3548 wrote to memory of 928 3548 steam.exe cmd.exe PID 3548 wrote to memory of 928 3548 steam.exe cmd.exe PID 928 wrote to memory of 4044 928 cmd.exe shutdown.exe PID 928 wrote to memory of 4044 928 cmd.exe shutdown.exe PID 928 wrote to memory of 1872 928 cmd.exe net.exe PID 928 wrote to memory of 1872 928 cmd.exe net.exe PID 1872 wrote to memory of 4068 1872 net.exe net1.exe PID 1872 wrote to memory of 4068 1872 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\steam.exe"C:\Users\Admin\AppData\Local\Temp\steam.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeshutdown -s -t 00 -c "hackedr"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet user Admin *3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin *4⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3985855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cmd.batFilesize
1KB
MD5b165c6d6172c0e46f12f6969fadd218b
SHA152d4b3d16c069e6324d407b72f5887a1153d1d8f
SHA256c8cb4c998750bda9eefdd5fb90ae32ead18d3470ef0644c2617f5811bdca1e61
SHA512cd36e9f3cacdf6593a761394d003f3a0987348c2749e080a3a5bfca58e6b3f3c8b18e5a0123515a830879cea9f37d653e322bdb70eb5b89ca49baa3ad88c5534
-
memory/3548-133-0x0000000000BD0000-0x0000000000BDA000-memory.dmpFilesize
40KB