83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa

General

Target

83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
Size

3.4MB
MD5

9af9bdbf4122961480380fa09710b7b4
SHA1

d81c044d2369d9315e6fa9771a905e06db50893c
SHA256

83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa
SHA512

181f70f967843d916ec5a91ee6bd5cebab167041ea023d6ec243a7a465a90f0d7895568417bfb2679ee21d4711e0db82b0c6d6371567f54603f3aae11b55f990
SSDEEP

98304:fGdfOmZ+aJfY3WHR/itTWYqKp/eefDQ2xkNFCbT4dvu:oOluftH9Rkp/eefk5obT4E

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	sxteam.exe

Executes dropped EXE 3 IoCs

pid	Process
1956	sxteam.exe
2900	CliSvc 应用程序.exe
5108	Steam.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sxteam.exe	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1956	sxteam.exe
1956	sxteam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1956	2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	83
PID 2036 wrote to memory of 1956	2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	83
PID 2036 wrote to memory of 1956	2036	83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe	83
PID 1956 wrote to memory of 2900	1956	sxteam.exe	92
PID 1956 wrote to memory of 2900	1956	sxteam.exe	92
PID 1956 wrote to memory of 2900	1956	sxteam.exe	92
PID 1956 wrote to memory of 5108	1956	sxteam.exe	93
PID 1956 wrote to memory of 5108	1956	sxteam.exe	93
PID 1956 wrote to memory of 5108	1956	sxteam.exe	93

C:\Users\Admin\AppData\Local\Temp\83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe
"C:\Users\Admin\AppData\Local\Temp\83afc6aaa1a9277bd633878524b9724b9fd53392d7b66a17684b4a942686bcaa.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\sxteam.exe
  C:\Windows\System32\sxteam.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe
    "C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe"
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\Steam.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
    3⤵
    - Executes dropped EXE
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
C:\Users\Admin\AppData\Local\Temp\CliSvc 应用程序.exe

Filesize
1.1MB

MD5
d7ceab81811a07e4760ed8c752950448

SHA1
6b29051c9a1b0735a89784161eecefd34e861f18

SHA256
37abf6214bfdc5354ed985b246e774b5b95a4afb073db7cc4140cfd84127ca54

SHA512
cdb64bcf412eac858c90c6a834064d4ed5b269b14d52a2562168ed9761b314e831ca4005b386ead0ccc6bc8a7f5f0806ec9defa1170f9b6e256aeb931c4b9510

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.1MB

MD5
6cc3132f1ab90f8898776f4e545dbb13

SHA1
a5821415544e2b131061ede56b5142ef92cea2be

SHA256
11c907ecf283c2f36823356335295ac878d8ee26a8c2b3ec933fc51549ac0042

SHA512
ef0f29948def76e81aaaa2f8a0877b3acce3e86132ccc1482fc6d2c7006a66e37c97d73d21441a8300c07d31cf9a9d0b1032b41dc9f6b6cd00d8a812f6feb301

Download Submit
C:\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
C:\Windows\SysWOW64\sxteam.exe

Filesize
2.7MB

MD5
759f87a899ae0d3d42959b594e0ea13d

SHA1
ae7e1865b67b3e472fc5763a763b59dbf7e2c997

SHA256
5eb5107ec1d4ef94887d00b6bf3f8109035bd55dd81f99650b41efe6754ea0c6

SHA512
814e077ee8e0f1d764d97ca56e5fa6c9c796601257a383c6867452c6c132fb9caa90277f278c304a5a623a7aee3ccbddc194e9cf85390096cce5d9a5af9dd4c7

Download Submit
memory/1956-6415-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-4-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-13081-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-13082-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-13079-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-13080-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-13078-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/1956-5892-0x0000000076F60000-0x0000000076FDA000-memory.dmp

Filesize
488KB

Download
memory/1956-3883-0x0000000076CE0000-0x0000000076E80000-memory.dmp

Filesize
1.6MB

Download
memory/1956-5-0x0000000075F30000-0x0000000076145000-memory.dmp

Filesize
2.1MB

Download
memory/1956-13101-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/2900-13090-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2900-13102-0x0000000075F30000-0x0000000076145000-memory.dmp

Filesize
2.1MB

Download
memory/2900-17382-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/5108-13100-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/5108-13112-0x0000000075F30000-0x0000000076145000-memory.dmp

Filesize
2.1MB

Download
memory/5108-17430-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing