Analysis Overview
SHA256
c10e6644c3ce7477a8f423d8d18a30798c5f3b4a4cdab531e247b73c0572d2f6
Threat Level: Shows suspicious behavior
The file SteamConverter.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-04 19:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 19:27
Reported
2024-03-04 19:30
Platform
win10-20240221-en
Max time kernel
181s
Max time network
189s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SteamConverter.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SteamConverter.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SteamConverter.exe
"C:\Users\Admin\AppData\Local\Temp\SteamConverter.exe"
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\cbfa946cbb0a4344845191f0572140d6 /t 352 /p 368
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.steampowered.com | udp |
| GB | 23.214.154.77:443 | api.steampowered.com | tcp |
| DE | 162.254.197.38:27018 | tcp | |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.197.254.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
Files
memory/368-0-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/368-1-0x0000000000630000-0x0000000000D6A000-memory.dmp
memory/368-2-0x0000000005C90000-0x000000000618E000-memory.dmp
memory/368-3-0x0000000005790000-0x0000000005822000-memory.dmp
memory/368-4-0x0000000005780000-0x0000000005790000-memory.dmp
memory/368-5-0x0000000005870000-0x000000000587A000-memory.dmp
memory/368-6-0x0000000005990000-0x0000000005A34000-memory.dmp
\Users\Admin\AppData\Local\Temp\b6e2897f-c180-459a-bb92-bbb942070e0b\BunifuDotNetRT.dll
| MD5 | a20aa843d4c7d0509757dea2788cfbde |
| SHA1 | 31ca5e73c12613b2dc0c1ec383c76dd264786935 |
| SHA256 | b43ab8d1d08c773f443399f8610a433308a1857c89741e85b42adbb351c47c86 |
| SHA512 | f0a4a10d6b85380f875721137823a3314e53685d94d063c3d44377b40883eb9e6a50e77b94289ae1bf30d06c252b9318817674126fb9a555a17dc4a553e2d52d |
memory/368-14-0x000000006FF40000-0x000000006FF77000-memory.dmp
memory/368-15-0x0000000071D30000-0x0000000071DB0000-memory.dmp
memory/368-17-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-16-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-19-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-21-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-23-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-25-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-27-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-31-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-29-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-33-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-35-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-37-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-39-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-41-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-43-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-45-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-47-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-49-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-51-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-53-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-55-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-57-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-59-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-61-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-63-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-65-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-67-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-69-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-71-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-73-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-75-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-77-0x0000000005990000-0x0000000005A2D000-memory.dmp
memory/368-2386-0x0000000006300000-0x0000000006366000-memory.dmp
memory/368-2387-0x0000000005C70000-0x0000000005C86000-memory.dmp
memory/368-2388-0x0000000005780000-0x0000000005790000-memory.dmp
memory/368-2389-0x0000000005780000-0x0000000005790000-memory.dmp
memory/368-2390-0x0000000009EB0000-0x000000000A04A000-memory.dmp
memory/368-2765-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/368-3085-0x0000000005780000-0x0000000005790000-memory.dmp
memory/368-3400-0x000000006FF40000-0x000000006FF77000-memory.dmp
memory/368-4967-0x0000000005780000-0x0000000005790000-memory.dmp
memory/368-5319-0x0000000005780000-0x0000000005790000-memory.dmp
memory/368-8948-0x000000000B2B0000-0x000000000B872000-memory.dmp
memory/368-8949-0x0000000007140000-0x000000000715A000-memory.dmp
memory/368-8950-0x0000000007170000-0x00000000071A6000-memory.dmp
memory/368-8951-0x000000000BA80000-0x000000000BA88000-memory.dmp
memory/368-8952-0x000000000BA90000-0x000000000BA9A000-memory.dmp