9912c6879a3bde1745a085b8553c4ea1991b43a7bbc24758339065e24079d2ac

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Steam.exe
Size

369.4MB
MD5

6f871624db639b31c6f345b2a10e4df5
SHA1

1d9ebdce2651e8c91930cbc8b7cbcea0b8cb9dbd
SHA256

9912c6879a3bde1745a085b8553c4ea1991b43a7bbc24758339065e24079d2ac
SHA512

16df1995c2e17f9794a048f56949acd689871ae471a45484a126fcfdd7471515a5657e03161d6f057d485b55f528b9a2895b5ccdf76474de7141fb207d6095ef
SSDEEP

6291456:biCwmlhapUql17QolrKz8E04cBCov+3htB1YcLdwIPnQza1fY5bKrSr4:bnfl+HZG+1QnhtB7wuQOZ0mSk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Steam.exe

Loads dropped DLL 15 IoCs

pid	Process
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4676	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe
4080	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Steam.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	Steam.exe
File opened (read-only)	\??\A:	Steam.exe
File opened (read-only)	\??\V:	Steam.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	Steam.exe
File opened (read-only)	\??\U:	Steam.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	Steam.exe
File opened (read-only)	\??\S:	Steam.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	Steam.exe
File opened (read-only)	\??\H:	Steam.exe
File opened (read-only)	\??\J:	Steam.exe
File opened (read-only)	\??\M:	Steam.exe
File opened (read-only)	\??\E:	Steam.exe
File opened (read-only)	\??\T:	Steam.exe
File opened (read-only)	\??\Y:	Steam.exe
File opened (read-only)	\??\T:	Steam.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	Steam.exe
File opened (read-only)	\??\R:	Steam.exe
File opened (read-only)	\??\Q:	Steam.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	Steam.exe
File opened (read-only)	\??\U:	Steam.exe
File opened (read-only)	\??\V:	Steam.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	Steam.exe
File opened (read-only)	\??\O:	Steam.exe
File opened (read-only)	\??\B:	Steam.exe
File opened (read-only)	\??\I:	Steam.exe
File opened (read-only)	\??\R:	Steam.exe
File opened (read-only)	\??\X:	Steam.exe
File opened (read-only)	\??\E:	Steam.exe
File opened (read-only)	\??\Y:	Steam.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	Steam.exe
File opened (read-only)	\??\Z:	Steam.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	Steam.exe
File opened (read-only)	\??\H:	Steam.exe
File opened (read-only)	\??\K:	Steam.exe
File opened (read-only)	\??\L:	Steam.exe
File opened (read-only)	\??\O:	Steam.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	Steam.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	Steam.exe
File opened (read-only)	\??\K:	Steam.exe
File opened (read-only)	\??\L:	Steam.exe
File opened (read-only)	\??\X:	Steam.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	Steam.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\friends\friends_indicator_chat.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0100.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\music\music.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\hud\dpad_nw.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\library\library_filtergames.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\styles\login\join.css	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\cef\cef.win7\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0130.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\store\icon_legacycontroller.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\steamlinkauthdialog.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\cef\cef.win7\api-ms-win-core-comm-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\friends\icon_microphone_off.tga	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0307.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\transport_controls\Icon_ffwd.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\store\cart_lineitem.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\localization\tenfoot_french.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\cef\cef.win7\VkLayer_parameter_validation.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\cropped_controller_config_lines_9.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\library\choosebinding.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\login\changeemailfail.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\layout\quit.xml	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\localization\tenfoot_portuguese.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\graphics\btnSelLeft.tga	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\steamclient.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\oobe_gamepad_stick_dn.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\resource\vgui_brazilian.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0100.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\controller_base\localization\xbox_360_polish.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\graphics\new_button_italian.tga	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\html5app\keybinds.cfg	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_070_setting_0303.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\cropped_binding_gamepad_active_x.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\styles\music\music_playlist_selection.css	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\crashhandler64.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\friends\FriendOnlineNotification.res	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\resource\screenshots_none_selected.tga	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\servers\InternetGamesPage.res	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0421.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0422.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\graphics\music_browse_disabled.tga	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\steam\cached\steamui_postlogon_schinese.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\alpha_controller_callout_right_trigger.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\cropped_binding_gamepad_multi_rs.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\steam\cached\nobigpicture.res	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\cropped_controller_config_lines_11.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\public\steamclean_korean.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\resource\vgui_schinese.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\controller_base\localization\dualshock_4_russian.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\ssfn6441554843869345940	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\icon_readytodownload.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\styles\login\createaccount.css	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\drivers\Windows8.1\x86\SteamStreamingMicrophone.inf	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\graphics\btnStdBottom.tga	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\browser\browser_back.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\cef\cef.win7\cef_extensions.pak	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\shaders\tenfoot\opengl\fancyquaduber.frag	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\resource\vgui_koreana.txt	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\api\ps4_button_x.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\library\controller\cropped_binding_gamepad_selection_rt.png	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\cef\cef.win7\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\panorama\panorama.dll	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\styles\networklogin.css	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\bin\cef\cef.win7\snapshot_blob.bin	msiexec.exe
File created	C:\Program Files (x86)\VALVE\Steam\graphics\win32_win_restore_hover.tga	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f211.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f211.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4C3396E9-4F22-4A35-9DBE-BC39345E714F}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFADE.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f213.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF27E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF36A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E6933C422F453A4D9EBCB9343E517F4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E6933C422F453A4D9EBCB9343E517F4\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\Language = "1053"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\08D36798E61ECF441A2D3F6EE3038476	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\PackageName = "Steam.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\ProductName = "Steam"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\PackageCode = "07CC54665BB4BF740B4B46793F3C5FA7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\08D36798E61ECF441A2D3F6EE3038476\9E6933C422F453A4D9EBCB9343E517F4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{4C3396E9-4F22-4A35-9DBE-BC39345E714F}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E6933C422F453A4D9EBCB9343E517F4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{4C3396E9-4F22-4A35-9DBE-BC39345E714F}\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	msiexec.exe
1680	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeCreateTokenPrivilege	2364	Steam.exe
Token: SeAssignPrimaryTokenPrivilege	2364	Steam.exe
Token: SeLockMemoryPrivilege	2364	Steam.exe
Token: SeIncreaseQuotaPrivilege	2364	Steam.exe
Token: SeMachineAccountPrivilege	2364	Steam.exe
Token: SeTcbPrivilege	2364	Steam.exe
Token: SeSecurityPrivilege	2364	Steam.exe
Token: SeTakeOwnershipPrivilege	2364	Steam.exe
Token: SeLoadDriverPrivilege	2364	Steam.exe
Token: SeSystemProfilePrivilege	2364	Steam.exe
Token: SeSystemtimePrivilege	2364	Steam.exe
Token: SeProfSingleProcessPrivilege	2364	Steam.exe
Token: SeIncBasePriorityPrivilege	2364	Steam.exe
Token: SeCreatePagefilePrivilege	2364	Steam.exe
Token: SeCreatePermanentPrivilege	2364	Steam.exe
Token: SeBackupPrivilege	2364	Steam.exe
Token: SeRestorePrivilege	2364	Steam.exe
Token: SeShutdownPrivilege	2364	Steam.exe
Token: SeDebugPrivilege	2364	Steam.exe
Token: SeAuditPrivilege	2364	Steam.exe
Token: SeSystemEnvironmentPrivilege	2364	Steam.exe
Token: SeChangeNotifyPrivilege	2364	Steam.exe
Token: SeRemoteShutdownPrivilege	2364	Steam.exe
Token: SeUndockPrivilege	2364	Steam.exe
Token: SeSyncAgentPrivilege	2364	Steam.exe
Token: SeEnableDelegationPrivilege	2364	Steam.exe
Token: SeManageVolumePrivilege	2364	Steam.exe
Token: SeImpersonatePrivilege	2364	Steam.exe
Token: SeCreateGlobalPrivilege	2364	Steam.exe
Token: SeCreateTokenPrivilege	2364	Steam.exe
Token: SeAssignPrimaryTokenPrivilege	2364	Steam.exe
Token: SeLockMemoryPrivilege	2364	Steam.exe
Token: SeIncreaseQuotaPrivilege	2364	Steam.exe
Token: SeMachineAccountPrivilege	2364	Steam.exe
Token: SeTcbPrivilege	2364	Steam.exe
Token: SeSecurityPrivilege	2364	Steam.exe
Token: SeTakeOwnershipPrivilege	2364	Steam.exe
Token: SeLoadDriverPrivilege	2364	Steam.exe
Token: SeSystemProfilePrivilege	2364	Steam.exe
Token: SeSystemtimePrivilege	2364	Steam.exe
Token: SeProfSingleProcessPrivilege	2364	Steam.exe
Token: SeIncBasePriorityPrivilege	2364	Steam.exe
Token: SeCreatePagefilePrivilege	2364	Steam.exe
Token: SeCreatePermanentPrivilege	2364	Steam.exe
Token: SeBackupPrivilege	2364	Steam.exe
Token: SeRestorePrivilege	2364	Steam.exe
Token: SeShutdownPrivilege	2364	Steam.exe
Token: SeDebugPrivilege	2364	Steam.exe
Token: SeAuditPrivilege	2364	Steam.exe
Token: SeSystemEnvironmentPrivilege	2364	Steam.exe
Token: SeChangeNotifyPrivilege	2364	Steam.exe
Token: SeRemoteShutdownPrivilege	2364	Steam.exe
Token: SeUndockPrivilege	2364	Steam.exe
Token: SeSyncAgentPrivilege	2364	Steam.exe
Token: SeEnableDelegationPrivilege	2364	Steam.exe
Token: SeManageVolumePrivilege	2364	Steam.exe
Token: SeImpersonatePrivilege	2364	Steam.exe
Token: SeCreateGlobalPrivilege	2364	Steam.exe
Token: SeCreateTokenPrivilege	2364	Steam.exe
Token: SeAssignPrimaryTokenPrivilege	2364	Steam.exe
Token: SeLockMemoryPrivilege	2364	Steam.exe
Token: SeIncreaseQuotaPrivilege	2364	Steam.exe
Token: SeMachineAccountPrivilege	2364	Steam.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2364	Steam.exe
2364	Steam.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4676	1680	msiexec.exe	90
PID 1680 wrote to memory of 4676	1680	msiexec.exe	90
PID 1680 wrote to memory of 4676	1680	msiexec.exe	90
PID 2364 wrote to memory of 4956	2364	Steam.exe	98
PID 2364 wrote to memory of 4956	2364	Steam.exe	98
PID 2364 wrote to memory of 4956	2364	Steam.exe	98
PID 1680 wrote to memory of 720	1680	msiexec.exe	105
PID 1680 wrote to memory of 720	1680	msiexec.exe	105
PID 1680 wrote to memory of 4080	1680	msiexec.exe	107
PID 1680 wrote to memory of 4080	1680	msiexec.exe	107
PID 1680 wrote to memory of 4080	1680	msiexec.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\Steam.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam.exe" /i C:\Users\Admin\AppData\Local\Temp\{4C3396E9-4F22-4A35-9DBE-BC39345E714F}\Steam.msi AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\VALVE\Steam" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam" CLIENTPROCESSID="2364" SECONDSEQUENCE="1" CHAINERUIPROCESSID="2364Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_DOTNET_VERSION="4.7.1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Steam.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates " TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Steam.exe"
  2⤵
  - Enumerates connected drives
  PID:4956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2C2509B04950C6493B604D8BF04E52D2 C
  2⤵
  - Loads dropped DLL
  PID:4676
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 490F27F6713CD32BE422EF3F983A0D0A
  2⤵
  - Loads dropped DLL
  PID:4080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f212.rbs

Filesize
414KB

MD5
16a697c4e6054225b17bfc9e7bce6add

SHA1
34fa3f29805b699b1c96ad5b6016c52cb92e4155

SHA256
60444eb9afe7bfd5b88ca0ba07cabb294dc168bf3afb5a8537826480241f6657

SHA512
b7713070288c7cf961677543f12a6a155d9f4507994d818a47c7f43556f2deec79a0e0893c65b312d8fd96c80fd255c9daea3793e9014193695a2fc61e5182bb

Download Submit
C:\Program Files (x86)\VALVE\Steam\Steam.exe

Filesize
2.7MB

MD5
ff206944e3a8590fabe10fb2c321aa6d

SHA1
c8e15d6f68373d9e5529f385fdee537b34018fb2

SHA256
77c555667674c9e4473c64921c5f2a7d723fbe28a73eb5ebaa777cd04d11c06b

SHA512
854f97ddc3f842bf6526a2b83fe2cd2555b0c53d98225a1d1a204612f55be349033fe40c282bd4fef383f517168459be5bc2f966055d8de769063241cf96f64c

Download Submit
C:\Program Files (x86)\VALVE\Steam\graphics\icon_button_news_mousedown.tga

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\VALVE\Steam\graphics\new_button_hover.tga

Filesize
62KB

MD5
59a32bed32f2719244691614aa8fcbeb

SHA1
f981c3a7689d9cadb15b3b6ecb02727924056cc2

SHA256
2c0f0872b0499f12e7ef7c0c444144d2452b1fa6c6bda4eb8acb6e363a11fcf9

SHA512
4b56ea2179985616df79fcf96759659c4841bd1a4416dc6a7a7ce5b901a92fd7274464de45c76612e8896f0a3d24dd6374b47b8c1f81e3376a4eff746c00be73

Download Submit
C:\Program Files (x86)\VALVE\Steam\tenfoot\resource\images\textinput\drop06.tga

Filesize
244KB

MD5
c7afc24e396da59a4ef402ddd2ccbceb

SHA1
dafbca40f8420fdf6c426fa6a3f0f6a43fb493d9

SHA256
996cd2d01542cec922c384708dcbfc8aee8773333ebda9a398f0236675f129b1

SHA512
013ff1f14b8c7214c88e42cf5d270324f4bbac6bf6b5eafa7dadf8d658c0eaa97a52f326df62867dab7926e8edbcb5bac89a0e675c57de5558f78b1bce313ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2364\banner

Filesize
2KB

MD5
ce1143e3563de4e200ba7f4953b3807b

SHA1
d3d4522a4bdcb68672047eb7b830cde532ef34a6

SHA256
a5eefaca044b04460a1ced5fec2229545edf85f01e1d6673e6e14d06b3108c2d

SHA512
c2fd5457d1a0b67f62d6f6d789d906702fe943e11c6e05a9fe77c2d633c347229f90444dcc78104311f90cd9f868b867940c84f28952a92a7b3fd98e6fd9b166

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2364\dialog

Filesize
8KB

MD5
aed83f8acb77f7e74559340e18d4495c

SHA1
16e1d450003200441754d98c8dd2ca438ce79fbb

SHA256
26e2588a77ff89d5fc928ad24467bc8d1e6cff173cc0be348ca9e0299dac94bc

SHA512
35d10946f025270833376408a14bec8b6366b441b2701df45d0427e28f59705b199e43e3e4d21304969eeeabe22f9e4fa32a776944d03b157dd5633aaa7e5e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7531.tmp

Filesize
216KB

MD5
2696b59200d0e8e088ac6492ca3406c1

SHA1
53971958fd68f47121e34c58c6974b581723c1cb

SHA256
758676c57a4603fe5c43a487087956d03b0c9c73f20e92c4ba2380d3ad62a4fb

SHA512
69031dc420bf63234cf252de3a6cb6aa6beba765398eaf2b38d2e5e82d8e8c133c6383528599ddf3e49d48ca404231fb9a1396a6119d1501e662151f85b92105

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI75BE.tmp

Filesize
375KB

MD5
a13b71cbd14fd51000c1f91fcd8aa5ec

SHA1
2cd95edf62d3449d268a452b08e640e971062649

SHA256
df07449fc356ee803e4b79e82887ef49d91fc67949eb25caca84ef668fa82e9a

SHA512
f9b34b5245aae4c674cb07a739b81ab6ccfd63c8b8e05bcac7946da76245051fae0128d4bae0c3b3b11afc2a9d9085d99507f6582810d6b249d3989d073e48dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI84E7.tmp

Filesize
377KB

MD5
9fcaa8f291d5a30dd37a133f141c954e

SHA1
f2a38ae008777052165e1812a0de7adc27e5d549

SHA256
f576f3e913d35325b701c83199822e1905ea140aa8e601a9e45a4c32c11e7077

SHA512
722d93dd0326f322ec6b73c795c269a49fc40adf1df27d34c8a569e87c248f71bfaf59f44f6b17dfd95483d4305afb17144ee9da11425ad586a3045bae43fd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiBB41.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4C3396E9-4F22-4A35-9DBE-BC39345E714F}\Steam.msi

Filesize
1.5MB

MD5
702338ac91b1fcf76763e1ae79dc6212

SHA1
14f5260df4e401dbfdc470bb68d3542f72d6e907

SHA256
8a8f13af7fb2189c3f9b576dd89944b2a7a86a330ab89a6a12106b7ea82d0df1

SHA512
9b156fccb4f7ddd6c824fc4e76627aa24378490e9d6aeaaaac70577b4d8931fb2887b052ffe9f06357d80ae012c0234a40e29568f486790ae508cf1017ac19ca

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
d0f0ed483d4922d6e6c7cee1868a7468

SHA1
3547b2ee48f0e3ec0372618c2cd55a978737e8ca

SHA256
d3725a6cea80f2f63966ff37f0af2c2f0ec94fe85cf33a40c59203457e111526

SHA512
ad8e9cb3d91ef33ef506ab8068ff7305a386d31e1ac39616b483400fc346297102fbaada3817f68636f74195d9f9c18fd70a744d6110564afdd6b0349d781929

Download Submit
\??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9927e61d-6762-40ff-9f2a-9de699aaf7fe}_OnDiskSnapshotProp

Filesize
6KB

MD5
1af9d0d95e54487b0385964908889474

SHA1
7b97c89f95453ccdbe0606858560a30d9acab10d

SHA256
8dbfa22099b60b927906da29f68f661f16c5c4dceed9c422a739768b42ba59a7

SHA512
9dc17397a8f28f124bfca5781ea76600f9938e210bbdfa373905c8257db59258738065ef3829804e7ed6063fb565c8de69927d1b408b910113f8376e2f05cdc6

Download Submit