6345a13c1eab921686d7ef594b6ac35e6e65839ac297795031014fbd9717508a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

SWASetup.exe

windows10-2004-x64

8

Sharing

General

Target

SWASetup.exe
Size

14KB
Sample

241223-zbfk5azqhk
MD5

cd1436d99f11bc0382d6776f23c74831
SHA1

accc8e49ba85581de25288b9a461ae14b5554d91
SHA256

6345a13c1eab921686d7ef594b6ac35e6e65839ac297795031014fbd9717508a
SHA512

00374fa8dce13ce885714ab23b2d9111a8bb2194c17b5ccc6bd859aead6df36398fc2abed9d2840333e8a8dfa9f5da112e3a67a1141465300caad5b12c005493
SSDEEP

192:jgYX92TJJTcolI9FVigA6KtuY5AlF0o4Awh/b3B0OZnnWYlA8W2FCT1vT:Ls/aKu0AlFqAwFzSSWMQRt

Score

8^/10

steam discovery motw persistence phishing

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SWASetup.exe

Resource

win10v2004-20241007-en

steam discovery motw persistence phishing

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Targets

- Target
  
  SWASetup.exe
- Size
  
  14KB
- MD5
  
  cd1436d99f11bc0382d6776f23c74831
- SHA1
  
  accc8e49ba85581de25288b9a461ae14b5554d91
- SHA256
  
  6345a13c1eab921686d7ef594b6ac35e6e65839ac297795031014fbd9717508a
- SHA512
  
  00374fa8dce13ce885714ab23b2d9111a8bb2194c17b5ccc6bd859aead6df36398fc2abed9d2840333e8a8dfa9f5da112e3a67a1141465300caad5b12c005493
- SSDEEP
  
  192:jgYX92TJJTcolI9FVigA6KtuY5AlF0o4Awh/b3B0OZnnWYlA8W2FCT1vT:Ls/aKu0AlFqAwFzSSWMQRt
Score

8^/10

steam discovery motw persistence phishing
- Downloads MZ/PE file
- A potential corporate email address has been identified in the URL: OpzlgoiQzcawzr@TWOfk
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Detected potential entity reuse from brand STEAM.
  phishing steam
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

steamdiscoverymotwpersistencephishing

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.