Overview

overview

9

Static

static

3

SteamSetup.exe

windows10-ltsc 2021-x64

7

SteamSetup.exe

windows11-21h2-x64

9

$PLUGINSDI...ls.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...gs.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

$PLUGINSDI...ec.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

$PLUGINSDI...ss.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ss.dll

windows11-21h2-x64

3

Steam.exe

windows10-ltsc 2021-x64

7

Steam.exe

windows11-21h2-x64

3

bin/SteamService.exe

windows10-ltsc 2021-x64

1

bin/SteamService.exe

windows11-21h2-x64

1

uninstall.exe

windows10-ltsc 2021-x64

7

uninstall.exe

windows11-21h2-x64

7

$PLUGINSDI...LL.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...LL.dll

windows11-21h2-x64

3

$PLUGINSDI...nk.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...nk.dll

windows11-21h2-x64

3

$PLUGINSDI...ec.dll

windows10-ltsc 2021-x64

3

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SteamSetup.exe

  • Size

    1.5MB

  • Sample

    241121-vqfr8atndt

  • MD5

    81448c2e730b50b597bbd5e43007ce6a

  • SHA1

    4b1b85ec2499a4ce07c89609b256923a4fc479e5

  • SHA256

    3bc6942fe09f10ed3447bccdcf4a70ed369366fef6b2c7f43b541f1a3c5d1c51

  • SHA512

    c9125b79012e00fc9ee800592dece583a97756b5f4485c4649f3a11143afa673b4d386af256129032064f158186542bca7da70cd31770cd7eb4a3176c96e7124

  • SSDEEP

    24576:QDliBd5TyliR0gWwOvTCU1z3zk51iq449nkU0/1COmcrOqpXzzE2YeshfLKB7:QD8tylwXoTCWi1iq1nkU09lRENhJLKB7

Score
9/10
discoverypersistenceransomware

Malware Config

Targets

    • Target

      SteamSetup.exe

    • Size

      1.5MB

    • MD5

      81448c2e730b50b597bbd5e43007ce6a

    • SHA1

      4b1b85ec2499a4ce07c89609b256923a4fc479e5

    • SHA256

      3bc6942fe09f10ed3447bccdcf4a70ed369366fef6b2c7f43b541f1a3c5d1c51

    • SHA512

      c9125b79012e00fc9ee800592dece583a97756b5f4485c4649f3a11143afa673b4d386af256129032064f158186542bca7da70cd31770cd7eb4a3176c96e7124

    • SSDEEP

      24576:QDliBd5TyliR0gWwOvTCU1z3zk51iq449nkU0/1COmcrOqpXzzE2YeshfLKB7:QD8tylwXoTCWi1iq1nkU09lRENhJLKB7

    Score
    9/10
    discoverypersistenceransomware

    • Renames multiple (5886) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      99KB

    • MD5

      98a4efba4e4b566dc3d93d2d9bfcab58

    • SHA1

      8c54ae9fcec30b2beea8b6af4ead0a76d634a536

    • SHA256

      e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

    • SHA512

      2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

    • SSDEEP

      1536:Lyy+HcFWrX52XWcS15c4DBVOw/bEQvWt6uouMw5m0mhdBu4NpBTvO7Fvo6mVS6oN:Oy+8ozImcSNd1YHbMbC

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      a4dd044bcd94e9b3370ccf095b31f896

    • SHA1

      17c78201323ab2095bc53184aa8267c9187d5173

    • SHA256

      2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

    • SHA512

      87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

    • SSDEEP

      192:em24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlESl:m8QIl975eXqlWBrz7YLOlE

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      0d45588070cf728359055f776af16ec4

    • SHA1

      c4375ceb2883dee74632e81addbfa4e8b0c6d84a

    • SHA256

      067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

    • SHA512

      751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

    • SSDEEP

      192:ob8cSzvTyl4tgi8pPjQM0PuAg0YNyhIFtSP:mBSzm+t18pZ0WAg0RhIFg

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      c5b9fe538654a5a259cf64c2455c5426

    • SHA1

      db45505fa041af025de53a0580758f3694b9444a

    • SHA256

      7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

    • SHA512

      f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

    • SSDEEP

      96:xr7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkNL38:xxbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      4KB

    • MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

    • SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

    • SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    • SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    • SSDEEP

      48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      Steam.exe

    • Size

      3.1MB

    • MD5

      565d90cdc73f2cbc03d5c184c70fc524

    • SHA1

      a676fab0be82968b922df4f611eda4dda63b7806

    • SHA256

      70bde9e88aa386aa5139cac0c8a78b5576f1bed9e5f719c4e620d5c0cf7d5cbf

    • SHA512

      7723098706d990259f6fcfc96c3dad15de951148b7122004b39e2e8c6db87f64d91cf45b693af88e1d0837824d96ec05dfba54ab7a02088a0b3f9052c2c335c2

    • SSDEEP

      49152:7hnDK926jryDyLzEgmImO7cnlJjO8tWE7OdDEJy7+Py4goHsFbaPbu+dZmPNK5PN:7lDK92QrWgj+C8t37KDayj4gOs+RmP+

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral13behavioral14

    • Target

      bin/SteamService.exe

    • Size

      1.6MB

    • MD5

      3e654318b9c1203beb7f4aefb2f6d839

    • SHA1

      5b147ca8d77e4985298c63d0ed09a217149fe665

    • SHA256

      2cdb8a21456df3dbc46c23460be079bf285b1352bd6b131f572d4cb52bacf252

    • SHA512

      0cde534c2f0d350c21b1ac994c9530e9692c9738921393c9c61ca7e1af8d8587fae7b8bfa1038fead9a630c0fc0a257967a962cbb55c6bfa776162b3b6678e6a

    • SSDEEP

      49152:4TkEJyJrAQ3o12xy6k4gnqPbx5rm+T4qvg:4TkEJy6Q3kqyh4gknmt

    Score
    1/10
    behavioral15behavioral16

    • Target

      uninstall.exe

    • Size

      137KB

    • MD5

      04ac66825466772809e5f5a7d6d66292

    • SHA1

      16048e430e9f58cc6ff855938e3dcc0fb597264c

    • SHA256

      8f648df6a34445236155b2094905d1fb142e3f9cc314781c4361cf3c052e77f6

    • SHA512

      dbc86e084312f9f22a1703965ae4b52fe00afff908b9fd01ff7d86a24b0b4f91eabe5fab45c91e44819d7ec7ca241281e759064549f9c2cb74ae93418c8a9c78

    • SSDEEP

      1536:BMaAWOz2YOFw3ae4ptaq5qHSlTBuw+I/JFOh5N/Lq33TguZ5Kse85JqeITwr/QCe:BAe+3aJpgWXTBuA/JFONMVHdrFqbvLl

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral17behavioral18

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      0c44f21d4afc81cc99fac7cc35e4503a

    • SHA1

      3d0d5c684df99a46510c0e2c0020163a9d11c08d

    • SHA256

      8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10

    • SHA512

      4e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923

    • SSDEEP

      48:S46+/N3TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zPuPbOBtWZBV8jAWiAJCdv2CmpL

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      $PLUGINSDIR/ShellLink.dll

    • Size

      4KB

    • MD5

      d62d3e349689811f838dd10fb216eba1

    • SHA1

      edcafd517860cb6b4bd299e20b17ad74a6fa2a5d

    • SHA256

      5d103419245e2a5f124a96cace25d6836b2398edc0aa3919829b0fd6ad8b5d6a

    • SHA512

      fc7d5826cb9f85068ea702f007920bf7ae63758d13c48761e83cc9e8ac06b231f40e17a9f3340d60d874ad2cf6e0991eb98a52cf893ab785489e0cdbbf294f88

    • SSDEEP

      96:fQW7e3a0JF5jdrORE6C4tb+X+bzYz3Cl6nfkfLGpRO:4687JQCdiaR

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      c5b9fe538654a5a259cf64c2455c5426

    • SHA1

      db45505fa041af025de53a0580758f3694b9444a

    • SHA256

      7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

    • SHA512

      f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

    • SSDEEP

      96:xr7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkNL38:xxbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    discovery
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discoverypersistence
Score
7/10

behavioral2

discoverypersistenceransomware
Score
9/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
7/10

behavioral14

discovery
Score
3/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
7/10

behavioral18

discovery
Score
7/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10