c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304

Analysis

max time kernel
39s
max time network
43s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup (1).exe
Size

978KB
MD5

bbf15e65d4e3c3580fc54adf1be95201
SHA1

79091be8f7f7a6e66669b6a38e494cf7a62b5117
SHA256

c9f2e2abb046ff2535537182edf9a9b748aa10a22e98a1d8c948d874f4ffb304
SHA512

9bb261b4ed84af846e07ffb6352960687e59428fd497faa0a37d70b57a1a7430d48ac350fbb0c3f0f11e4231a98ebca4d6923deba0949fdd7a247a3c02737355
SSDEEP

24576:4Fa9OUi2VoN2gZ1M8UQag3BXrYZt+GgGTfG74T+TRcL:Z9OUiTN2gZ1MExEZkkf+4TARg

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133765273150048239"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4440 chrome.exe
4440 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4440 chrome.exe
4440 chrome.exe
4440 chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe
Token: SeShutdownPrivilege	4440	chrome.exe
Token: SeCreatePagefilePrivilege	4440	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4440 wrote to memory of 2016	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2016	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 3948	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 1840	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 1840	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4956	4440	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup (1).exe"
1⤵
PID:4112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe07a4cc40,0x7ffe07a4cc4c,0x7ffe07a4cc58
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1752,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,10313883763233048427,17664653581900623916,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:1356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\089584a4-fac9-4425-87c3-c425c32f232b.tmp

Filesize
233KB

MD5
a9001146fddd595f674efee78e2a9f84

SHA1
0b13309a1851b23421c6d459c6aa0306a9036bd3

SHA256
12ca3f2eeb38fb395b3ba1de9c4f94cafdea5b16f14035ae05ed26a6ba965cc0

SHA512
fa562bcdff41a16fcf370842b90bd6800a3d1195c55250be29882a2a9cd59d1f337a54bbe1a2527a4fe94afa8f62b61a4b6ea2f1d7706132d62b8c4882298635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c041b843315d2aa2201fd31c54053be6

SHA1
a764ce0e813f076c0b1728f21c2900e2d3347903

SHA256
7d43c2b8e3c9409747aa88b9071dd4fa536f9c69286f01b80dffd8e18f052afe

SHA512
0029f0b72b7c65939257aa88dce398f6576d1bf57b5eb927bdd1dc12a646b7459c941597807dd5d1c3045ffcf4d51f6f55f8a523b3aa047cca80a28b851b4240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6035d7a6-09cf-43c0-a3ac-6f63f1cff793.tmp

Filesize
356B

MD5
4bd79c019d6f19be831d67df2a62bd59

SHA1
8c46d493f0c581fd7703a17f5faea371cd771f44

SHA256
4e539771a7de844968de36b35888dc970378326c37957c32ae492630b872a172

SHA512
ffd134a174e8c458682d04b43218190490392e27865ee588fae5a11ce6b8d59da74e0918f5641fa9e238ad45f532843df4cc1eb7d882720e5074f3d99137d449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
88a4571b88da444eeed08b0f6aced4a2

SHA1
7c80cec62eeaa1e37781c1f6358b715f82c717c1

SHA256
ad0bc4a39dde49b29d8d93a67a3b953cfbe1521e305fdbaedd22226e693e6e02

SHA512
779f6a006cffe3c415250f6ec1096f3c6b0a4d4513817b7566557b5f34cbfe48b3639e2f4c29efca368d51f3242c215dceb5b525439d8f6bbf5211433ee37d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
93952fd788871f224a7ede89367bbb51

SHA1
7d20361f28490ed45f7d93ed71f1dac2e23b687d

SHA256
58ac305d78458bd5ef298e44bcf4497dff490fe60d7b75ac7aba45f2300c463f

SHA512
57daa37bb96dee00c98ecb861ce8e431332a9632063d637907651bf9b5f4e7fbc1e3d0fe8f46c62097b38d0958ab4e084c4c141558ee562f2e8f0ad16b65d28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8856a7d4fea0fd4bce43c070d5b4a4d9

SHA1
85a9fa29701c61f292f912416e5b5c835208e3d3

SHA256
71bc83bca8d53c3e46df64d4a43515833e3f48429a263df791cd5f3ce37e25be

SHA512
25784df03add74f2f315febe4932cf00c15422c090b084062898ff4ed23cb4dd7fc96f576ddd14903846b3bbc4e9698c0699b6ebda7c47c2e4bdb6220490ebc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\crashpad_4440_DFYXSBXKTHRRLCPT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit