e179de0543e0024bf3b90de52ad1786e1d10965d2e2520f166f6ec582371d788

Resubmissions

30-12-2023 14:21

231230-rn6zvaafe2 7

30-12-2023 14:08

231230-rf1svsegcn 7

Analysis

max time kernel
266s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kb250irm.zip
Size

8.5MB
MD5

7017c1cbc4277988e3898a71a50765c1
SHA1

b7ea9ec2eaa0421462e98b0ae279d02aa6a864c8
SHA256

e179de0543e0024bf3b90de52ad1786e1d10965d2e2520f166f6ec582371d788
SHA512

72c447adec23637c1370e5df1ef971c77d75be17e39446eae7b65c14f1dfd3d9e59491576251fba624e09dd7d0bcbe98aa7496b9fa995ec33b97b37ba0f6fb4a
SSDEEP

196608:I9hMQC+ctzp9iUaA3/MC6qXYKSLE8EVGMrR2Io+et381d3s/:YhA1r30C6qXYF482rU/38v3s/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1780	Steamless.CLI.exe
2640	Steamless.CLI.exe
1516	Steamless.CLI.exe
728	Steamless.CLI.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	832	7zG.exe
Token: 35	832	7zG.exe
Token: SeSecurityPrivilege	832	7zG.exe
Token: SeSecurityPrivilege	832	7zG.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
832	7zG.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe
2148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1928	2148	msedge.exe	127
PID 2148 wrote to memory of 1928	2148	msedge.exe	127
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4636	2148	msedge.exe	129
PID 2148 wrote to memory of 4932	2148	msedge.exe	128
PID 2148 wrote to memory of 4932	2148	msedge.exe	128
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130
PID 2148 wrote to memory of 872	2148	msedge.exe	130

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\kb250irm.zip
1⤵
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\kb250irm\" -spe -an -ai#7zMap14032:74:7zEvent28220
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:832

C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe
"C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe
"C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe"
1⤵
- Executes dropped EXE
PID:2640

C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe
"C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe"
1⤵
- Executes dropped EXE
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ccmmdd/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd39f646f8,0x7ffd39f64708,0x7ffd39f64718
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13489982135473213383,15101335326683768571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13489982135473213383,15101335326683768571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13489982135473213383,15101335326683768571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13489982135473213383,15101335326683768571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13489982135473213383,15101335326683768571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13489982135473213383,15101335326683768571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:3348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe
"C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe"
1⤵
- Executes dropped EXE
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Steamless.CLI.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98e4bb07d6c683ed2f5ae8d2bf0c0af2

SHA1
b8404221e988da281aeba7b1d68cda6bb3ad46c3

SHA256
50e95a6a5460799c68e2e82d2e48ddec691881f4ae9cad073c0e9b1167663723

SHA512
4d5920d937e79cb919d3ed5a210bcb3410fd6a14a92d93a98051307ae33d5fcd3b2e7ee197d8db557bbb663c302fccb34c22d6aed433e6f5271bcf90bdc5b594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2467677c804446918284af327c31e8e1

SHA1
8c1996a7026d4cb993e2080581ea8e7bbe0cf493

SHA256
c3c709fd7e0a65e1bbeac59b4e00c7281d59cb88c0689788a1f87e37800d0c85

SHA512
0d77c4d2ae45200ee2ce527be1fd0c511df8edbe35cd79d85fbf70ff556997a99847dde13fda112a30f6dbcb611634c9a2f7aad4a796d502c65372e20a7ce427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c7ec27d94da04714401b9adf0b17756

SHA1
3e18d51664cd7c8036552c1557391ae0e7d3363d

SHA256
57be391e5772faf9845cc18c3b6c5e428c1181feaa56c5dd4c4d16472c9ebb52

SHA512
067ce3414a4fdadf8b1fbc79cd0abfdbde43e60b848d9f06e1310f3c1192ab2135347d570baa9c1eee1da941f70e66a85ff4a82fcd6286268c542c97a5f2ba24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0bfb3dc36060e762cee2cfd6871b3f93

SHA1
4bf303d72669f3957480e43d6086fd23b0df04fb

SHA256
f3150a923d35a4b35e5d4990471416f6e1ceaddaeb9c5d6fa4d54358ceaa8dcf

SHA512
0e894795488bfcce051d99d3acecab7492cdd4098cdfefc37f3b035e375ab691ceaa25c10998dd2153062afc00b3a230dc83990441cf5da6602ed5922051dac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Desktop\kb250irm\kb250\stool\Plugins\Steamless.API.dll

Filesize
33KB

MD5
2af2cdf92dd30521c983c848f501a067

SHA1
9c0b98627a8d18704dda11fcfdc4d87283cf10c1

SHA256
ef65b553408c2a0cfb226223d28ab248b3449a9699b14f967b51910897a1de17

SHA512
d5c38806d4fdf0ae6a3fdd09b106edbacc32ae296a811c0ae69e4a97c338dbdde4db47dd0cfd79a927f501ccc7325633353ef9ad06a0e0104225481f4494da2b

Download Submit
C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe

Filesize
110KB

MD5
0e18c6c7489ca9abb416a23b31e09782

SHA1
d4ebf9845c3a135a55c7d33ab87c875df39d8941

SHA256
6b78303b21003efbf113e742799eb3dc4bd1c705890f759937d411fac818322f

SHA512
2b961c57bae45f95d50577ba66d59e5ac538a5ad764b4cd6f5edee3775fddbe5ac9bf8fd9806d45542b7d31625ee56c9ec6067029f48e8ba54cfc32774c63745

Download Submit
C:\Users\Admin\Desktop\kb250irm\kb250\stool\Steamless.CLI.exe.config

Filesize
189B

MD5
ef0181de18ef3951806c0ad63b897ba4

SHA1
4b6a4b0f7fbbbd1dceab385e7fac74a35fc132cb

SHA256
e8decc96235b5494880083eb79c22c84c6d9ef312828baf9490bee7782c350ec

SHA512
b1816817e8deaa7b22bc51966e9debed46b254be6463f2ac0204be348baefb751c5d846a5353d43cce66a005a73f6226462b8ec8b59d4e16a54130c327c68b79

Download Submit
memory/728-152-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/728-153-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/1516-39-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/1516-37-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/1780-32-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1780-30-0x0000000002D70000-0x0000000002D7E000-memory.dmp

Filesize
56KB

Download
memory/1780-28-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/1780-27-0x0000000000BB0000-0x0000000000BD2000-memory.dmp

Filesize
136KB

Download
memory/2640-38-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/2640-35-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download