Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 05:13
Static task
static1
Behavioral task
behavioral1
Sample
SteamSetup.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SteamSetup.exe
Resource
win10v2004-20230915-en
General
-
Target
SteamSetup.exe
-
Size
7.6MB
-
MD5
e9e90acb743b53007dc1b7908cadec37
-
SHA1
c396df39ae540bd589802d17bbc5382740f4d861
-
SHA256
e6234adc4009f934481d9138b131bf9567514c8384851a5d6e7f0c1fc96cb07b
-
SHA512
dfc447434af9f7051587a20cc523236ffd2bcbea638173912f3bf898f90007315c446390ef7ac83b3b1dcfdb4b6cca76a8c7ba4c2ef15b1b60f06bfd77492123
-
SSDEEP
196608:1l7x31wnc72nlUrZADXfphNBbXtVWrLXQr9lba:R31wnc6mAbfpVfWgDa
Malware Config
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x0015000000011fff-5.dat family_xworm behavioral1/files/0x0015000000011fff-6.dat family_xworm behavioral1/memory/2348-7-0x0000000000C60000-0x0000000000C7A000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Component Package Support Server.lnk Component Package Support Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Component Package Support Server.lnk Component Package Support Server.exe -
Executes dropped EXE 4 IoCs
pid Process 2348 Component Package Support Server.exe 2868 Device Association Framework Provider Host.exe 1420 Device Association Framework Provider Host.exe 1224 Process not Found -
Loads dropped DLL 2 IoCs
pid Process 2840 SteamSetup.exe 1420 Device Association Framework Provider Host.exe -
resource yara_rule behavioral1/files/0x0006000000015dde-43.dat upx behavioral1/files/0x0006000000015dde-44.dat upx behavioral1/memory/1420-45-0x000007FEF2060000-0x000007FEF24C6000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Component Package Support Server = "C:\\Users\\Admin\\AppData\\Roaming\\Component Package Support Server.exe" Component Package Support Server.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects Pyinstaller 5 IoCs
resource yara_rule behavioral1/files/0x000800000001210a-13.dat pyinstaller behavioral1/files/0x000800000001210a-11.dat pyinstaller behavioral1/files/0x000800000001210a-14.dat pyinstaller behavioral1/files/0x000800000001210a-42.dat pyinstaller behavioral1/files/0x000800000001210a-46.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3016 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2348 Component Package Support Server.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2508 powershell.exe 324 powershell.exe 1732 powershell.exe 2348 Component Package Support Server.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2348 Component Package Support Server.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2348 Component Package Support Server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2348 Component Package Support Server.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2840 wrote to memory of 2348 2840 SteamSetup.exe 28 PID 2840 wrote to memory of 2348 2840 SteamSetup.exe 28 PID 2840 wrote to memory of 2348 2840 SteamSetup.exe 28 PID 2840 wrote to memory of 2868 2840 SteamSetup.exe 29 PID 2840 wrote to memory of 2868 2840 SteamSetup.exe 29 PID 2840 wrote to memory of 2868 2840 SteamSetup.exe 29 PID 2868 wrote to memory of 1420 2868 Device Association Framework Provider Host.exe 30 PID 2868 wrote to memory of 1420 2868 Device Association Framework Provider Host.exe 30 PID 2868 wrote to memory of 1420 2868 Device Association Framework Provider Host.exe 30 PID 2348 wrote to memory of 2508 2348 Component Package Support Server.exe 34 PID 2348 wrote to memory of 2508 2348 Component Package Support Server.exe 34 PID 2348 wrote to memory of 2508 2348 Component Package Support Server.exe 34 PID 2348 wrote to memory of 324 2348 Component Package Support Server.exe 36 PID 2348 wrote to memory of 324 2348 Component Package Support Server.exe 36 PID 2348 wrote to memory of 324 2348 Component Package Support Server.exe 36 PID 2348 wrote to memory of 1732 2348 Component Package Support Server.exe 38 PID 2348 wrote to memory of 1732 2348 Component Package Support Server.exe 38 PID 2348 wrote to memory of 1732 2348 Component Package Support Server.exe 38 PID 2348 wrote to memory of 3016 2348 Component Package Support Server.exe 40 PID 2348 wrote to memory of 3016 2348 Component Package Support Server.exe 40 PID 2348 wrote to memory of 3016 2348 Component Package Support Server.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Component Package Support Server.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Component Package Support Server" /tr "C:\Users\Admin\AppData\Roaming\Component Package Support Server.exe"3⤵
- Creates scheduled task(s)
PID:3016
-
-
-
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"C:\Users\Admin\AppData\Roaming\Device Association Framework Provider Host.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4838B56C-9238-4107-A5B4-A771B823B8C7} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]1⤵PID:1548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD572c65de0cc88d6a26d5a7040aaf1fb60
SHA168dae332ade43106c72e68a497b6b7df6b314425
SHA256769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb
SHA5125f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb
-
Filesize
87KB
MD5a1e0941d04238798f48f5b56fd1ae667
SHA102c173d45fbd19e801fc7a42aa8b5f90f5bb79be
SHA256c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2
SHA5121907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4
-
Filesize
87KB
MD5a1e0941d04238798f48f5b56fd1ae667
SHA102c173d45fbd19e801fc7a42aa8b5f90f5bb79be
SHA256c617d9a1190ef85e9d6c99f94d8f8a861c632d41ebdad7512b182122e493a8c2
SHA5121907d2bf17aa321ef20f1b1651125849499fdd885cb0f9f226f2a3897e56bb626af18d5dd3d1ec6856cdbff234336a3be8c9f16450feb2dabe6172f312e322a4
-
Filesize
7.3MB
MD53f1493a321ca8e05eeb53aa2f6a4e7b4
SHA1a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad
SHA25673a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c
SHA512252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd
-
Filesize
7.3MB
MD53f1493a321ca8e05eeb53aa2f6a4e7b4
SHA1a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad
SHA25673a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c
SHA512252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd
-
Filesize
7.3MB
MD53f1493a321ca8e05eeb53aa2f6a4e7b4
SHA1a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad
SHA25673a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c
SHA512252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD576f0adb094ad268c39216355fff28cf2
SHA18de0743a253b1ecdb7134637f7f308fde0d5bef8
SHA2566efa353da6fe8cc47afc87742c6908d955f0f4d258c3922022720986c0b12690
SHA512076220d47a1c79b9a8d436499f15d1ae0be645f5561fe1e696d158e50f396da08c40482c2e460af7773118f13cc1dfe70ee2ce14cc3c7a8cd1265c78391a4521
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD576f0adb094ad268c39216355fff28cf2
SHA18de0743a253b1ecdb7134637f7f308fde0d5bef8
SHA2566efa353da6fe8cc47afc87742c6908d955f0f4d258c3922022720986c0b12690
SHA512076220d47a1c79b9a8d436499f15d1ae0be645f5561fe1e696d158e50f396da08c40482c2e460af7773118f13cc1dfe70ee2ce14cc3c7a8cd1265c78391a4521
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U7HDC6C912KMIW9FM79N.temp
Filesize7KB
MD576f0adb094ad268c39216355fff28cf2
SHA18de0743a253b1ecdb7134637f7f308fde0d5bef8
SHA2566efa353da6fe8cc47afc87742c6908d955f0f4d258c3922022720986c0b12690
SHA512076220d47a1c79b9a8d436499f15d1ae0be645f5561fe1e696d158e50f396da08c40482c2e460af7773118f13cc1dfe70ee2ce14cc3c7a8cd1265c78391a4521
-
Filesize
1.4MB
MD572c65de0cc88d6a26d5a7040aaf1fb60
SHA168dae332ade43106c72e68a497b6b7df6b314425
SHA256769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb
SHA5125f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb
-
Filesize
7.3MB
MD53f1493a321ca8e05eeb53aa2f6a4e7b4
SHA1a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad
SHA25673a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c
SHA512252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd
-
Filesize
7.3MB
MD53f1493a321ca8e05eeb53aa2f6a4e7b4
SHA1a2dfa5f0b1cc6284c84ad1c5ce0f7cc76bf8baad
SHA25673a141d8728b542b763302ed9df9cbdf0c95da47eca71d93b2a013daa1b2317c
SHA512252179058d49a7141f5ed7896aee928659f89447847dad5307b750b5ee62ddd4cca3c5cb9df39015f19bc5b64dfd78eff7881dc4ad4516dca2c16bf982bdf6cd