83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa

Analysis

max time kernel
42s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
Size

3.4MB
MD5

9af9bdbf4122961480380fa09710b7b4
SHA1

d81c044d2369d9315e6fa9771a905e06db50893c
SHA256

83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa
SHA512

181f70f967843d916ec5a91ee6bd5cebab167041ea023d6ec243a7a465a90f0d7895568417bfb2679ee21d4711e0db82b0c6d6371567f54603f3aae11b55f990
SSDEEP

98304:fGdfOmZ+aJfY3WHR/itTWYqKp/eefDQ2xkNFCbT4dvu:oOluftH9Rkp/eefk5obT4E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2060	sxteam.exe
1996	CliSvc 应用程序.exe
1792	Steam.exe

Loads dropped DLL 6 IoCs

pid	Process
1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
2060	sxteam.exe
2060	sxteam.exe
2060	sxteam.exe
2060	sxteam.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sxteam.exe	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2060	sxteam.exe
2060	sxteam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2060	1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	28
PID 1260 wrote to memory of 2060	1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	28
PID 1260 wrote to memory of 2060	1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	28
PID 1260 wrote to memory of 2060	1260	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	28
PID 2060 wrote to memory of 1996	2060	sxteam.exe	31
PID 2060 wrote to memory of 1996	2060	sxteam.exe	31
PID 2060 wrote to memory of 1996	2060	sxteam.exe	31
PID 2060 wrote to memory of 1996	2060	sxteam.exe	31
PID 2060 wrote to memory of 1792	2060	sxteam.exe	32
PID 2060 wrote to memory of 1792	2060	sxteam.exe	32
PID 2060 wrote to memory of 1792	2060	sxteam.exe	32
PID 2060 wrote to memory of 1792	2060	sxteam.exe	32

C:\Users\Admin\AppData\Local\Temp\83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
"C:\Users\Admin\AppData\Local\Temp\83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\sxteam.exe
  C:\Windows\System32\sxteam.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe
    "C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe"
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\Steam.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
    3⤵
    - Executes dropped EXE
    PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
C:\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
C:\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
C:\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
memory/1260-2-0x0000000002450000-0x000000000270A000-memory.dmp

Filesize
2.7MB

Download
memory/1792-12189-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1792-8732-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1996-12060-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1996-8722-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2060-835-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-885-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-847-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-849-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-851-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-853-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-855-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-857-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-859-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-861-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-863-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-865-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-867-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-869-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-871-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-873-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-875-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-877-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-879-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-881-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-883-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-845-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-1852-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/2060-2561-0x00000000022D0000-0x0000000002451000-memory.dmp

Filesize
1.5MB

Download
memory/2060-843-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-8701-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-8708-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/2060-841-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-837-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-833-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-8718-0x0000000003260000-0x00000000033E3000-memory.dmp

Filesize
1.5MB

Download
memory/2060-831-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-8723-0x0000000003270000-0x00000000033F1000-memory.dmp

Filesize
1.5MB

Download
memory/2060-829-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-826-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-824-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-821-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-8729-0x0000000003270000-0x00000000033F1000-memory.dmp

Filesize
1.5MB

Download
memory/2060-822-0x0000000002170000-0x0000000002281000-memory.dmp

Filesize
1.1MB

Download
memory/2060-8724-0x0000000003260000-0x00000000033E3000-memory.dmp

Filesize
1.5MB

Download
memory/2060-11-0x0000000076B70000-0x0000000076BB7000-memory.dmp

Filesize
284KB

Download
memory/2060-10-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/2060-9-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download