Analysis Overview
SHA256
494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365
Threat Level: Known bad
The file 494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365 was found to be: Known bad.
Malicious Activity Summary
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 10:48
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 10:48
Reported
2024-04-10 10:51
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3884 set thread context of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe | C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe
"C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe"
C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe
C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| IR | 194.147.142.232:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IR | 194.147.142.232:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| IR | 194.147.142.232:8080 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
memory/3884-0-0x0000000000240000-0x000000000035E000-memory.dmp
memory/3884-1-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/3884-2-0x0000000005230000-0x00000000057D4000-memory.dmp
memory/3884-3-0x0000000004D60000-0x0000000004DF2000-memory.dmp
memory/3884-4-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3884-5-0x0000000004F10000-0x0000000004F1A000-memory.dmp
memory/3884-6-0x0000000005070000-0x0000000005092000-memory.dmp
memory/4016-7-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-9-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-10-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/3884-11-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4016-12-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-13-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-15-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-19-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-32-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-31-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-39-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-43-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-47-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-48-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-51-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-52-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-59-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-63-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-67-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4016-81-0x0000000000400000-0x00000000004E2000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 10:48
Reported
2024-04-10 10:51
Platform
win7-20240221-en
Max time kernel
130s
Max time network
142s
Command Line
Signatures
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe | C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe
"C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe"
C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe
C:\Users\Admin\AppData\Local\Temp\494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
Network
| Country | Destination | Domain | Proto |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp | |
| IR | 194.147.142.232:8080 | tcp |
Files
memory/1964-0-0x0000000001250000-0x000000000136E000-memory.dmp
memory/1964-1-0x0000000074800000-0x0000000074EEE000-memory.dmp
memory/1964-2-0x0000000004A00000-0x0000000004A40000-memory.dmp
memory/1964-3-0x0000000000AA0000-0x0000000000AC2000-memory.dmp
memory/2108-4-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1964-6-0x0000000074800000-0x0000000074EEE000-memory.dmp
memory/2108-7-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-8-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-9-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-11-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-19-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-29-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-37-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-39-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-43-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-47-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-59-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-63-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-67-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2108-77-0x0000000000400000-0x00000000004E2000-memory.dmp