hxxps://steer[.]us/

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steer.us/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133414103130625602"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 4748	1592	chrome.exe	37
PID 1592 wrote to memory of 4748	1592	chrome.exe	37
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4972	1592	chrome.exe	88
PID 1592 wrote to memory of 4160	1592	chrome.exe	89
PID 1592 wrote to memory of 4160	1592	chrome.exe	89
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90
PID 1592 wrote to memory of 3732	1592	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://steer.us/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe55b69758,0x7ffe55b69768,0x7ffe55b69778
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:2
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5008 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3960 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5604 --field-trial-handle=1868,i,14496476084437176457,9458786476845242622,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
77f53d4e6a89f39d273d8ff21ac101ca

SHA1
1c06662d72d9e1ffee417d26dab7370b5e80a3c3

SHA256
10efef0e5c4476c64dd0521e3b1746717a7e6e1768dd50651764887ded4b9196

SHA512
161cf1e7e6512a6b8ea820f378ba1164b07f4920dfd4fb3ff7db494394c4d883f4a963ebfe9e014e297536290fd8d9e2d88bfa5c9f5a5e20a5bf96650b381b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4a0700cdcf58a79e29e0b324a2b3b3f4

SHA1
d2dd4cf8e6581c141dcd87d6af4ee350206a3e4d

SHA256
89165d205c0e57c5f795b540364797dedfdaf5b9f7654b1021ed3907a582d3a5

SHA512
48c577be9d098a5d84dce1a4e1d09f3e4677713ab772c0f9378b4a963b288fed675046d0b68d61fb9536a5c6d2d574059babdac47f296ee2c3131f0dc993ab9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
11d71af24e9dac82028d3818e58479f2

SHA1
eb5c613f7c60bdda2a56e5895946ba25d36742ee

SHA256
4e57d5b8cc5426eb36b1585b4a6293ebdfd016a72a70bdc10051cf586d41cf74

SHA512
f2221a1cd311dcef9c61f51b441479a5aa08a539d49e5345e1aa970082b848180020732e3240e9296fa2ac55bbb469a5174d3576f2c79ed9c9af15fc13b0c38e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f1248e5a8c2d7dece87f7488b3d3575f

SHA1
1926141f525f4d5f7e497ae6e51cafdff5d81fb5

SHA256
81dd96a2d061d0ca8655924319149228f92e147634d9f93fa25ebce98ec12e6f

SHA512
b7f616d863db5f2c37b2446f6edcc9010a268e833d685a2c7ff739ade4b60ca64cb24100986b4960e9fd88f96f661128a5ea641504c8dc471f0809d2b0c304cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7187e05c9d300061547d48cb76d8346c

SHA1
f4b3be4ad8bf40bbc8d2dbe2a9a37f7648e5be77

SHA256
bdbd2ab313de17f4d53c7c68e6bb534596b76e5d260a3cce2bf480c1846996d5

SHA512
e9c68ec84aee2fb5c4d5e92c1d064018977c6c86761efadc7384e284f8d01de531636462143cf80a0ff960f614291f73770e3e992b4acd1036d8c903cfbbf934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e0978f2e7a5cfae11a4d22fbc375d390

SHA1
efa89f905ec20d7822a70661856f973a2914b3ae

SHA256
accfe704f211079debe14bcfa24a78dfc7f7c3072ed84e1da8b4d7854314bc68

SHA512
90d3d4489e8d815e137140cf7db9316308c5f5e42bddadaf3680b9b590b1b581157616b236768098a2466fcab890c508a35668f4d7caba519e21ff3ee3742c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit