hxxps://store[.]steampowered[.]com/app/3107230/Pantheon_Rise_of_the_Fallen/#app_reviews_hash

Analysis

max time kernel
42s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://store.steampowered.com/app/3107230/Pantheon_Rise_of_the_Fallen/#app_reviews_hash

Score

6^/10

steam discovery phishing

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Detected potential entity reuse from brand STEAM.
phishing steam
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133788406209746803"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1624	4888	chrome.exe	84
PID 4888 wrote to memory of 1624	4888	chrome.exe	84
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 3656	4888	chrome.exe	85
PID 4888 wrote to memory of 4860	4888	chrome.exe	86
PID 4888 wrote to memory of 4860	4888	chrome.exe	86
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87
PID 4888 wrote to memory of 1748	4888	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://store.steampowered.com/app/3107230/Pantheon_Rise_of_the_Fallen/#app_reviews_hash
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc5a65cc40,0x7ffc5a65cc4c,0x7ffc5a65cc58
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,800165250537698931,3010110789484584846,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,800165250537698931,3010110789484584846,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,800165250537698931,3010110789484584846,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,800165250537698931,3010110789484584846,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,800165250537698931,3010110789484584846,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4512,i,800165250537698931,3010110789484584846,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c97ffb7341fac206374734331f4a3594

SHA1
a03c64690520206f085fd37f4ead8569e011b958

SHA256
1da158b472c3953a9f6196e6bc8660f2d41f4174f3a2f06d92a58702af19cb50

SHA512
f6a5f10b91ad3c2b07f93fa2c858cac083efbf54c23f9f073b73f912edb402628bf7d2537eba6c75f6d02859ce3c734dbb7024ccfd75f08482074fbf83a64f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
246d5e219715b05b3eeca4c7965887bf

SHA1
8576bc91ddb9c7526a6382b2b4fcba0ca23d26e7

SHA256
4d06f9487d4eb28175bcf3a8f2e80767367659a316bb46a6e51975dda676eb31

SHA512
e63265428de4b0447f70b55e25d8602d4a039e26308fd7e231766ad800f5f16018936483b63be785433fcea3f7f5e060a4e14379216093986ca138148af02528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5c95d605-0c10-4ad5-ae4e-7a83fe75fa68.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
0913734e80c498220eca4291c401b1f3

SHA1
57dfecc5496591a2547c8a832e4e67155800f8c1

SHA256
680f1561c83db1292adce18f0d97c0d4849745b8b12da88b2d47a9bc3a032429

SHA512
530c6d002270f5e30c23fadefed32dd85b5eb393720802081881753aa13f6b8f48cbbf58090a88f40cfc985455cd36e0d214166a0ea53fb0fb5a2676ca199b97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
3c2db73508d9e25f74f6fdd8646ff65e

SHA1
e2c4d926d6229ab2fe0ea7341d052174d0dd367a

SHA256
3d514f70bf5c62961edf02c5d20e70460c86c25345a0933bfc8966b3365f4ae2

SHA512
3cde15f9a05a7d1e55c618d98c9d602778df090baa0cdfc16f76f7bf9f33e991662bc95c8dec2fcc7ca45dcbcb424ce6001674678a8a1dc877645c08ffa795ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe588154f0d122b2876ae74c59c46334

SHA1
7ebbcc208eba19eb79f00b03e38e7b403386412b

SHA256
d4bb5add940f8b62e44028e52399bf853c125f673a5ef6b5a73437f53d23d79c

SHA512
5be7fa8a1e67c847b7423fc06e938fc01fd1e1075392e03fb1cec1cc00c8b2afee538bfe183d4b0d23994260ee4581e8408ee46e1493cc5e99dda476b3cd7011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7713c6f9ebb9cc1ed89c6ac949016f88

SHA1
3cdba97ccc909e4e54b83d6449ec05c5017b8f1e

SHA256
2a3f70413c6dc7dffd64e4480457cbe2c2b672e7dcf05a74373044cd45dddb25

SHA512
2ac9ddc6395fbfb7bfc472af96ded6d00719004c9b191b7cc35282686baaf5e8f29945edf48dbc87e1e2db2e9d963ff0aa395ff6a05d3304ea1e0ae2fc57cc1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6af66a924fb2e22ce0101a4c722ec93

SHA1
08b5c2a0b78cf529b71b9b45f73e9de284cc9a13

SHA256
02728faa97ab6d9fe241ed2807982018d7b454dda2edc1054b3d8612812a7bce

SHA512
d829a20fd7bcc1202fba3377d7b00739c1c1841534bbc1d01bd4a6752fd2ab5d7b454c7937ad0b64fbe54b29c490c47b4f04d5feba51c89edd2edebba6bef725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
0dcd3ac5f46878a36a7122743db42d23

SHA1
11826f9c505bb5b0f56ca60a0ac3b9b7d6b0a9b9

SHA256
faaafd9505c421ab3e81d1393d5b73c6c5e97fe6194635c6046990d80e864f04

SHA512
9e139d895a38118317d97dac3e3b2e6345352d0e5dba47cb326aea37780cf1f03708f3cfa8c465d757f29ff95c334d17676dfda364c20ad65bd2b422aa321418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
7d79d862c6b72c1d69e881bf53e1278e

SHA1
6261f42f5610af3ed1aeba3acc27419f20de54b0

SHA256
e4158cace5968be0c07dfc7eaedc78e2c271d68e5a2ce3303efb14883f5c4caa

SHA512
4e493a349191e5d5b52aa9dc47c0d2fcc88f32d968b93e1408bcfcb9e55b1fec7a5cf893332a25228d9138fa3420ec3edbb27b984f36dbc05c46d67db75261db

Download Submit