hxxps://steamunlocked[.]net/

Resubmissions

23-10-2024 22:53

241023-2tykrstbnc 3

20-10-2024 16:34

20-10-2024 00:10

20-10-2024 00:07

20-10-2024 00:05

20-10-2024 00:00

Analysis

max time kernel
194s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamunlocked.net/

Score

8^/10

discovery motw persistence phishing privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

Processes:

EzExtractSetup.exeEzExtractProApp.exeEzExtractSetup (2).exeEzExtractSetup (2).exe

pid	Process
9020	EzExtractSetup.exe
6780	EzExtractProApp.exe
8904	EzExtractSetup (2).exe
3076	EzExtractSetup (2).exe

Loads dropped DLL 21 IoCs

Processes:

EzExtractSetup.exeregsvr32.exeregsvr32.exeregsvr32.exeEzExtractProApp.exeEzExtractSetup (2).exeEzExtractSetup (2).exe

pid	Process
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
9020	EzExtractSetup.exe
8488	regsvr32.exe
3680	regsvr32.exe
8184	regsvr32.exe
9020	EzExtractSetup.exe
6780	EzExtractProApp.exe
8904	EzExtractSetup (2).exe
8904	EzExtractSetup (2).exe
3076	EzExtractSetup (2).exe
3076	EzExtractSetup (2).exe
3076	EzExtractSetup (2).exe
8904	EzExtractSetup (2).exe
8904	EzExtractSetup (2).exe
3076	EzExtractSetup (2).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
172	whatismyipaddress.com
173	whatismyipaddress.com
174	whatismyipaddress.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

Processes:

flow	ioc
475	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Drops file in Program Files directory 5 IoCs

Processes:

EzExtractSetup.exe

description	ioc	Process
File created	C:\Program Files (x86)\EzExtractPro\EzExtractProCoreDll.dll	EzExtractSetup.exe
File created	C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll	EzExtractSetup.exe
File created	C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll	EzExtractSetup.exe
File created	C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe	EzExtractSetup.exe
File created	C:\Program Files (x86)\EzExtractPro\uninstall.exe	EzExtractSetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EzExtractSetup (2).exeEzExtractSetup.exeregsvr32.exeregsvr32.exeEzExtractSetup (2).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EzExtractSetup (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EzExtractSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EzExtractSetup (2).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeEzExtractProApp.exeregsvr32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	EzExtractProApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zip	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.7z\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lzh\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.xz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zipx\shellex\ContextMenuHandlers	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	EzExtractProApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "3"	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\EzExtractPro.Archive	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.jar\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tar\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	EzExtractProApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	EzExtractProApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.7z\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.arj\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.lz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.lzh\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.gz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.arj\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.cab\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zipx	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	EzExtractProApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	EzExtractProApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.x\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.bgz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	EzExtractProApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zip\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.iso\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SystemFileAssociations\.tar\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xz	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	EzExtractProApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	EzExtractProApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	EzExtractProApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	EzExtractProApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 6c003100000000004759a14b10004f4e454e4f547e310000540009000400efbe4759a14b4759a64b2e00000016290200000001000000000000000000000000000000dbdf0a004f006e0065004e006f007400650020004e006f007400650062006f006f006b007300000018000000	EzExtractProApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\EzExtractPro.Archive\DefaultIcon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zip\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lzh\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zipx\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	EzExtractProApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.7z\shellex	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	EzExtractProApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 60003100000000004759a24b10004d594e4f54457e310000480009000400efbe4759a14b4759a24b2e00000017290200000001000000000000000000000000000000f1e722004d00790020004e006f007400650062006f006f006b00000018000000	EzExtractProApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ManualSafeSave = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gz\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D983473-BB31-4609-9F85-3A93CE453FC7}\InProcServer32\ = "C:\\Program Files (x86)\\EzExtractPro\\EzExtractProShell32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zip\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.bz2\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.x\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.zst\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}\ = "EzExtractPro Context Menu Handler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lzh\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.uue\shellex\ContextMenuHandlers\{3D983473-BB31-4609-9F85-3A93CE453FC7}	regsvr32.exe

NTFS ADS 5 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 26233.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 171670.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 848814.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 656581.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 598058.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
4788	msedge.exe
4788	msedge.exe
4148	msedge.exe
4148	msedge.exe
396	identity_helper.exe
396	identity_helper.exe
6996	msedge.exe
6996	msedge.exe
8912	msedge.exe
8912	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
6956	msedge.exe
7288	msedge.exe
7288	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EzExtractProApp.exe

pid	Process
6780	EzExtractProApp.exe

Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid	Process
4