dc0e066dda94f846f61cc031d499b60eefd48a2d1fa54aff1a5b85def4fa072f | Triage

Submit
Reports

Overview

overview

8

Static

static

1

lol sigma.png

windows10-1703-x64

8

Resubmissions

29/08/2024, 12:27

240829-pm6lks1fma 8

29/08/2024, 12:09

240829-pbf7js1akf 3

29/08/2024, 12:02

240829-n7t8lszgle 10

29/08/2024, 11:57

240829-n4kj1ascjn 3

Sharing

Copy URL Twitter E-mail

General

Target

lol sigma.png
Size

581KB
Sample

240829-pm6lks1fma
MD5

c81328a92437a5fb47ad8ac7a201ecb9
SHA1

2abfdd3b313613984e5df397d8d61a134a5fdd6f
SHA256

dc0e066dda94f846f61cc031d499b60eefd48a2d1fa54aff1a5b85def4fa072f
SHA512

a832bf20cd76da90911102b51b74446c0ec33a552ee65214ce0f411a511507342f8ac7444eba11754b3bd23b26c61487c586bb8349db4987c7f8e11cfabbee94
SSDEEP

12288:lWvPh+N/YFnuDjzkJLwnIQWbKMjCWLl0JqOnTsQ6soQK:kI/8nkkV8IQMj96bnTffoQK

Score

8^/10

steam discovery motw persistence phishing

Static task

static1

Behavioral task

behavioral1

Sample

lol sigma.png

Resource

win10-20240404-en

steam discovery motw persistence phishing

windows10-1703-x64

33 signatures

1800 seconds

Malware Config

Targets

- Target
  
  lol sigma.png
- Size
  
  581KB
- MD5
  
  c81328a92437a5fb47ad8ac7a201ecb9
- SHA1
  
  2abfdd3b313613984e5df397d8d61a134a5fdd6f
- SHA256
  
  dc0e066dda94f846f61cc031d499b60eefd48a2d1fa54aff1a5b85def4fa072f
- SHA512
  
  a832bf20cd76da90911102b51b74446c0ec33a552ee65214ce0f411a511507342f8ac7444eba11754b3bd23b26c61487c586bb8349db4987c7f8e11cfabbee94
- SSDEEP
  
  12288:lWvPh+N/YFnuDjzkJLwnIQWbKMjCWLl0JqOnTsQ6soQK:kI/8nkkV8IQMj96bnTffoQK
Score

8^/10

steam discovery motw persistence phishing
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Detected potential entity reuse from brand steam.
  phishing steam
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

steamdiscoverymotwpersistencephishing

© 2018-2025

Terms | Privacy