2f2389c4427f79cb94d8d4fb3650b1cf0a27c0fc8996cf9edd061aa8b74fb6c4

Analysis

max time kernel
299s
max time network
323s
platform
windows10-1703_x64
resource
win10-20230220-es
resource tags

arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
02-04-2023 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneshot/LAUNCHER.exe
Size

227KB
MD5

d8a09db41481b0567601d2cab42db466
SHA1

ed0d1c96f7c81263643e2db9501d0c65477d7582
SHA256

3dad541c5fcdbc09b1c079e6c92837632c649d78084fdbab2bd2f1ce25ec2c5d
SHA512

f79daca8564f9cbcec59ceee458634fe223503b7eea6e2cf8f038fd3ef84044825a631f99872c732e3ae943531553510ff243c721478f3879ab818bf0b34b0c0
SSDEEP

3072:TGtleufyNONL4MdzCOY4jb1pQ2hHKPtOHO6VrVPoVJtCbhVPoVJtCbFyf:KtleuqKEYzYQyuHKPtOHRWehWeQ

Score

6^/10

bootkit persistence

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

steamshim.exerundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 steamshim.exe
File opened for modification \??\PhysicalDrive0 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

oneshot.exe

description ioc process

File opened for modification C:\Windows\INF\msmouse.PNF oneshot.exe

flow	ioc
4	api.ipify.org

description	ioc	process
File opened for modification	\??\PhysicalDrive0	steamshim.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\INF\msmouse.PNF	oneshot.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

steamshim.exerundll32.exe

pid	process
2148	steamshim.exe
2148	steamshim.exe
2148	steamshim.exe
2148	steamshim.exe
2148	steamshim.exe
2148	steamshim.exe
2148	steamshim.exe
2148	steamshim.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
2148	steamshim.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steamshim.exe

pid process

2148 steamshim.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

oneshot.exe

pid process

4736 oneshot.exe

pid	process
4736	oneshot.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

LAUNCHER.exesteamshim.exe

description	pid	process	target process
PID 3588 wrote to memory of 2148	3588	LAUNCHER.exe	steamshim.exe
PID 3588 wrote to memory of 2148	3588	LAUNCHER.exe	steamshim.exe
PID 3588 wrote to memory of 2148	3588	LAUNCHER.exe	steamshim.exe
PID 2148 wrote to memory of 4016	2148	steamshim.exe	rundll32.exe
PID 2148 wrote to memory of 4016	2148	steamshim.exe	rundll32.exe
PID 2148 wrote to memory of 4016	2148	steamshim.exe	rundll32.exe
PID 2148 wrote to memory of 4736	2148	steamshim.exe	oneshot.exe
PID 2148 wrote to memory of 4736	2148	steamshim.exe	oneshot.exe
PID 2148 wrote to memory of 4736	2148	steamshim.exe	oneshot.exe

C:\Users\Admin\AppData\Local\Temp\Oneshot\LAUNCHER.exe
"C:\Users\Admin\AppData\Local\Temp\Oneshot\LAUNCHER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\Oneshot\steamshim.exe
  "C:\Users\Admin\AppData\Local\Temp\Oneshot\steamshim.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Oneshot\SmartSteamEmu.dll",InitSSE
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\Oneshot\oneshot.exe
    ".\oneshot.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-124-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2148-134-0x000000006D0C0000-0x000000006D13A000-memory.dmp

Filesize
488KB

Download
memory/2148-131-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2148-135-0x000000006FE40000-0x00000000703DF000-memory.dmp

Filesize
5.6MB

Download
memory/2148-182-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2148-184-0x000000006D0C0000-0x000000006D13A000-memory.dmp

Filesize
488KB

Download
memory/2148-188-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2148-186-0x000000006FE40000-0x00000000703DF000-memory.dmp

Filesize
5.6MB

Download
memory/4016-125-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4736-158-0x0000000063EC0000-0x0000000063F74000-memory.dmp

Filesize
720KB

Download
memory/4736-165-0x0000000066200000-0x0000000066343000-memory.dmp

Filesize
1.3MB

Download
memory/4736-137-0x000000006B800000-0x000000006B88E000-memory.dmp

Filesize
568KB

Download
memory/4736-138-0x000000006AA80000-0x000000006AAFC000-memory.dmp

Filesize
496KB

Download
memory/4736-140-0x000000006FAC0000-0x000000006FB33000-memory.dmp

Filesize
460KB

Download
memory/4736-142-0x000000006AC00000-0x000000006AC3B000-memory.dmp

Filesize
236KB

Download
memory/4736-144-0x0000000063080000-0x00000000630A1000-memory.dmp

Filesize
132KB

Download
memory/4736-141-0x0000000070E80000-0x0000000070F40000-memory.dmp

Filesize
768KB

Download
memory/4736-139-0x0000000071200000-0x000000007122F000-memory.dmp

Filesize
188KB

Download
memory/4736-143-0x000000006B5C0000-0x000000006B5E2000-memory.dmp

Filesize
136KB

Download
memory/4736-145-0x000000006D0C0000-0x000000006D13A000-memory.dmp

Filesize
488KB

Download
memory/4736-146-0x000000006FE40000-0x00000000703DF000-memory.dmp

Filesize
5.6MB

Download
memory/4736-147-0x000000006C940000-0x000000006CDAD000-memory.dmp

Filesize
4.4MB

Download
memory/4736-148-0x0000000065500000-0x000000006598A000-memory.dmp

Filesize
4.5MB

Download
memory/4736-150-0x0000000069C00000-0x0000000069D23000-memory.dmp

Filesize
1.1MB

Download
memory/4736-151-0x00000000690C0000-0x000000006921A000-memory.dmp

Filesize
1.4MB

Download
memory/4736-149-0x0000000068D40000-0x0000000068E1B000-memory.dmp

Filesize
876KB

Download
memory/4736-153-0x0000000070880000-0x00000000708A5000-memory.dmp

Filesize
148KB

Download
memory/4736-154-0x000000006F740000-0x000000006F917000-memory.dmp

Filesize
1.8MB

Download
memory/4736-155-0x0000000067680000-0x000000006790D000-memory.dmp

Filesize
2.6MB

Download
memory/4736-152-0x000000006D740000-0x000000006D788000-memory.dmp

Filesize
288KB

Download
memory/4736-156-0x0000000061980000-0x00000000619C2000-memory.dmp

Filesize
264KB

Download
memory/4736-159-0x00000000026D0000-0x0000000002A54000-memory.dmp

Filesize
3.5MB

Download
memory/4736-133-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4736-161-0x0000000002A60000-0x000000000803F000-memory.dmp

Filesize
85.9MB

Download
memory/4736-162-0x00000000687C0000-0x0000000068AEC000-memory.dmp

Filesize
3.2MB

Download
memory/4736-163-0x0000000069340000-0x00000000693F0000-memory.dmp

Filesize
704KB

Download
memory/4736-136-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4736-164-0x0000000061EC0000-0x0000000061F45000-memory.dmp

Filesize
532KB

Download
memory/4736-167-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4736-168-0x000000006B800000-0x000000006B88E000-memory.dmp

Filesize
568KB

Download
memory/4736-169-0x000000006AA80000-0x000000006AAFC000-memory.dmp

Filesize
496KB

Download
memory/4736-170-0x0000000071200000-0x000000007122F000-memory.dmp

Filesize
188KB

Download
memory/4736-171-0x000000006FAC0000-0x000000006FB33000-memory.dmp

Filesize
460KB

Download
memory/4736-172-0x0000000070E80000-0x0000000070F40000-memory.dmp

Filesize
768KB

Download
memory/4736-173-0x000000006AC00000-0x000000006AC3B000-memory.dmp

Filesize
236KB

Download
memory/4736-175-0x0000000063080000-0x00000000630A1000-memory.dmp

Filesize
132KB

Download
memory/4736-174-0x000000006B5C0000-0x000000006B5E2000-memory.dmp

Filesize
136KB

Download
memory/4736-176-0x000000006D0C0000-0x000000006D13A000-memory.dmp

Filesize
488KB

Download
memory/4736-177-0x000000006FE40000-0x00000000703DF000-memory.dmp

Filesize
5.6MB

Download
memory/4736-178-0x000000006C940000-0x000000006CDAD000-memory.dmp

Filesize
4.4MB

Download
memory/4736-179-0x0000000065500000-0x000000006598A000-memory.dmp

Filesize
4.5MB

Download
memory/4736-180-0x0000000068D40000-0x0000000068E1B000-memory.dmp

Filesize
876KB

Download
memory/4736-181-0x0000000069C00000-0x0000000069D23000-memory.dmp

Filesize
1.1MB

Download
memory/4736-183-0x00000000690C0000-0x000000006921A000-memory.dmp

Filesize
1.4MB

Download
memory/4736-132-0x000000006FAC0000-0x000000006FB33000-memory.dmp

Filesize
460KB

Download
memory/4736-129-0x0000000002A60000-0x000000000803F000-memory.dmp

Filesize
85.9MB

Download
memory/4736-187-0x0000000070880000-0x00000000708A5000-memory.dmp

Filesize
148KB

Download
memory/4736-191-0x0000000061980000-0x00000000619C2000-memory.dmp

Filesize
264KB

Download
memory/4736-192-0x0000000063EC0000-0x0000000063F74000-memory.dmp

Filesize
720KB

Download
memory/4736-190-0x0000000067680000-0x000000006790D000-memory.dmp

Filesize
2.6MB

Download
memory/4736-189-0x000000006F740000-0x000000006F917000-memory.dmp

Filesize
1.8MB

Download
memory/4736-185-0x000000006D740000-0x000000006D788000-memory.dmp

Filesize
288KB

Download
memory/4736-127-0x00000000026D0000-0x0000000002A54000-memory.dmp

Filesize
3.5MB

Download
memory/4736-193-0x00000000026D0000-0x0000000002A54000-memory.dmp

Filesize
3.5MB

Download