hxxps://steeamcommnity[.]com/guesto/bunio/treski

Analysis

max time kernel
42s
max time network
36s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-12-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steeamcommnity.com/guesto/bunio/treski

Score

7^/10

steam discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
Detected potential entity reuse from brand STEAM.
phishing steam
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
4820	msedge.exe
4820	msedge.exe
1948	identity_helper.exe
1948	identity_helper.exe
708	msedge.exe
708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2648	4820	msedge.exe	79
PID 4820 wrote to memory of 2648	4820	msedge.exe	79
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3220	4820	msedge.exe	80
PID 4820 wrote to memory of 3272	4820	msedge.exe	81
PID 4820 wrote to memory of 3272	4820	msedge.exe	81
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82
PID 4820 wrote to memory of 3132	4820	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://steeamcommnity.com/guesto/bunio/treski
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff963ff3cb8,0x7ff963ff3cc8,0x7ff963ff3cd8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,8728673533775818314,13839862445932937664,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4ccb6310-eb7a-4488-924c-ff8fe423d284.tmp

Filesize
874B

MD5
579514aaf88d446c4a835d6629d176ed

SHA1
5b0ba2dce42846debebbf70940f5fd820c0d3501

SHA256
cf99d80f3093d2e278fc629c9eb482786b61e66b71f785a97ec330d363c76b4b

SHA512
847dbc752c6e62a242ca4f73e9c3acf7483d02338a036ceb5636085a8ee634626d15d43071abb86016149ae60d53a8c0e48b6f13624061292b2f8dd7a1dbbbe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
40ccbd65bb13900f66e8f9bddbdf88f4

SHA1
46c2084d53bad852870448a6f98edbeabfb83f6d

SHA256
b2b038683cfa124bd14e2ccfaa09d8c995a3bb5de0a68b7e7a0b64e24c2c2319

SHA512
17a511feb4e56c35712970408ee73a861ec9a105325a9bcbeb32f2cfe98fc9eaf6111f841ca2aff31d44f419ae9b7a08e9965932e97089d8013119ff8b5a166d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f368ca00c8ca7fdbc498112e1f8e398

SHA1
efc907926cef482d0be0c9491041bf393d985dc8

SHA256
10bf036ffd19d1e5eab6c964f13ae32adda58f03625ce61b42b73a503865f477

SHA512
38f0b28acc749926b66951cb7b0429af6c71eeef29645cd98d2d4ae8febc62afd3563ffd380eef4f5f3911da1cc0720ae3893de501c6103034acb8cff1a426ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eaae4a71fddac0c9da55bd03ead4936f

SHA1
39bbf9584918ccc16c3287b01114ce07a3df747a

SHA256
ab610906798cc0fa901376cb7994e30396d929ee0171332bfc576f3309f8f496

SHA512
591bee65659bffe014db7292801dd1fb96a36d5fbe574fc3efdc05a1b91fc3bae46f5cec2dd364c02176d2b454fb96b87aed669db385d8b20a770a63eec45df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
8657faa0cd17b1eb11e8fa7258b11a5c

SHA1
3cfc5c47395a215631ff5a9029d2c815da2cdc4b

SHA256
50c11730171afdae7da182399535afcc166113381ad6f224be0fc48686d20d26

SHA512
8b5c7e343181cfbf3b66d6016b4b3b5b4045bb1290b347d0b8c58983a6332265c2bf1d5e736a66303d4c83077501366f622f75914f26b6aee973481cbb075b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e3a9.TMP

Filesize
707B

MD5
8aeedf02c604fb5316f58c2176383d52

SHA1
b816f1736375022742ffcef35c2d010c8690cab8

SHA256
3f360221c44e31f2c1a168eeced2d2d2761b2bea6d83079d8f7195c30a7566df

SHA512
60a54ec9ddeb2501de42f58baa8e58b4db73ac1c4d01ff1b244a2334fa5cb82eaa4a812b81612732dee39467f1ade5376717f1b7760f2f4ad9a36ab3dc0677f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c7b72f05ad7ecc7c7a551808409e7747

SHA1
571d027102c5f87a436ae8f46e5f81390f1062e9

SHA256
85c38399be784da43e130627f5f491c20c116fd6307c51212fb29f7dda9e42eb

SHA512
4c1464530800548042abc8307798123e30e23822ea995fe284fd871d2c0fdce83d4d1631d51de20e3217f802a30f0d275b2aad60b456ec6c2a13455bd0e649e6

Download Submit