Analysis Overview
SHA256
7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32
Threat Level: Known bad
The file 7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32 was found to be: Known bad.
Malicious Activity Summary
OutSteel
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Enumerates connected drives
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 12:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 12:12
Reported
2024-04-10 12:15
Platform
win7-20240221-en
Max time kernel
131s
Max time network
144s
Command Line
Signatures
OutSteel
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1300 set thread context of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
"C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe"
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| RU | 185.244.41.109:8080 | tcp | |
| RU | 185.244.41.109:8080 | tcp | |
| RU | 185.244.41.109:8080 | tcp | |
| RU | 185.244.41.109:8080 | tcp | |
| RU | 185.244.41.109:8080 | tcp |
Files
memory/1300-0-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/1300-1-0x0000000000F00000-0x00000000010FA000-memory.dmp
memory/1300-2-0x0000000004E00000-0x0000000004E40000-memory.dmp
memory/1300-3-0x0000000000260000-0x0000000000292000-memory.dmp
memory/1300-4-0x00000000004D0000-0x00000000004E6000-memory.dmp
memory/1300-6-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/1300-7-0x0000000004E00000-0x0000000004E40000-memory.dmp
memory/1300-8-0x0000000000460000-0x000000000047A000-memory.dmp
memory/1300-9-0x0000000000790000-0x0000000000796000-memory.dmp
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
| MD5 | 6a673bfc3b67ae9782cb31af2f234c68 |
| SHA1 | 7544e89566d91e84e3cd437b9a073e5f6b56566e |
| SHA256 | 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e |
| SHA512 | 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39 |
memory/2796-13-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-14-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-15-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-16-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-18-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-17-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2796-21-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/1300-25-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2796-24-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-27-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-28-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-30-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-34-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-46-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-48-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-50-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-58-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-64-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-67-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-78-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/2796-100-0x0000000000400000-0x00000000004F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 12:12
Reported
2024-04-10 12:15
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
OutSteel
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3368 set thread context of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe
"C:\Users\Admin\AppData\Local\Temp\7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32.exe"
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| RU | 185.244.41.109:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 185.244.41.109:8080 | tcp | |
| RU | 185.244.41.109:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 185.244.41.109:8080 | tcp | |
| RU | 185.244.41.109:8080 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| RU | 185.244.41.109:8080 | tcp |
Files
memory/3368-0-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3368-1-0x0000000000210000-0x000000000040A000-memory.dmp
memory/3368-2-0x00000000054F0000-0x0000000005A94000-memory.dmp
memory/3368-3-0x0000000004E00000-0x0000000004E92000-memory.dmp
memory/3368-4-0x0000000004F40000-0x0000000005294000-memory.dmp
memory/3368-5-0x0000000005340000-0x00000000053DC000-memory.dmp
memory/3368-6-0x0000000005440000-0x0000000005450000-memory.dmp
memory/3368-7-0x0000000004EA0000-0x0000000004ED2000-memory.dmp
memory/3368-8-0x00000000052B0000-0x00000000052C6000-memory.dmp
memory/3368-9-0x00000000053F0000-0x00000000053FA000-memory.dmp
memory/3368-11-0x0000000005440000-0x0000000005450000-memory.dmp
memory/3368-12-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3368-13-0x0000000005440000-0x0000000005450000-memory.dmp
memory/3368-14-0x0000000005440000-0x0000000005450000-memory.dmp
memory/3368-15-0x0000000006960000-0x000000000697A000-memory.dmp
memory/3368-16-0x0000000006AA0000-0x0000000006AA6000-memory.dmp
memory/3368-17-0x0000000007AC0000-0x0000000007AE2000-memory.dmp
memory/3092-19-0x0000000000400000-0x00000000004F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
| MD5 | 9827ff3cdf4b83f9c86354606736ca9c |
| SHA1 | e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723 |
| SHA256 | c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a |
| SHA512 | 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579 |
memory/3092-21-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-23-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3368-24-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3092-26-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-27-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-33-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-37-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-45-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-46-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-49-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-57-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-61-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-66-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-65-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-73-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-78-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-77-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-82-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-81-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-85-0x0000000000400000-0x00000000004F1000-memory.dmp
memory/3092-99-0x0000000000400000-0x00000000004F1000-memory.dmp