Analysis Overview
SHA256
bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc
Threat Level: Known bad
The file bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc was found to be: Known bad.
Malicious Activity Summary
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 13:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 13:55
Reported
2024-04-10 13:58
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2276 set thread context of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe | C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
"C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe"
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A
Network
| Country | Destination | Domain | Proto |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp |
Files
memory/2276-0-0x0000000001050000-0x00000000010DC000-memory.dmp
memory/2276-1-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2276-2-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/2276-3-0x0000000000F60000-0x0000000000FDA000-memory.dmp
memory/2276-4-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2956-5-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2276-8-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2956-7-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-9-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-10-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-24-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-28-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-36-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-44-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-48-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-56-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-60-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-64-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-68-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/2956-82-0x0000000000400000-0x00000000004E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 13:55
Reported
2024-04-10 13:58
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
OutSteel
Reads user/profile data of web browsers
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1444 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe | C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
"C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe"
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
C:\Users\Admin\AppData\Local\Temp\bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp | |
| RU | 45.146.164.37:8080 | tcp |
Files
memory/1444-1-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1444-0-0x0000000000740000-0x00000000007CC000-memory.dmp
memory/1444-2-0x0000000005750000-0x0000000005CF4000-memory.dmp
memory/1444-3-0x0000000005240000-0x00000000052D2000-memory.dmp
memory/1444-4-0x00000000052E0000-0x0000000005356000-memory.dmp
memory/1444-5-0x00000000054D0000-0x00000000054E0000-memory.dmp
memory/1444-6-0x00000000051D0000-0x00000000051DA000-memory.dmp
memory/1444-7-0x0000000005480000-0x000000000549E000-memory.dmp
memory/1444-8-0x0000000005670000-0x00000000056EA000-memory.dmp
memory/1444-9-0x0000000005460000-0x000000000546E000-memory.dmp
memory/1652-10-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-12-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1444-14-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/1652-13-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-15-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-17-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-22-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-21-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-25-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-29-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-34-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-33-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-37-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-41-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-49-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-50-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-53-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-57-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-61-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-65-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-66-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-69-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-73-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1652-87-0x0000000000400000-0x00000000004E2000-memory.dmp