hxxps://stermcommunity[.]com/gift/id=7465904

Analysis

max time kernel
51s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://stermcommunity.com/gift/id=7465904

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
18	1532	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
4644	msedge.exe
4644	msedge.exe
1128	identity_helper.exe
1128	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4124	4644	msedge.exe	83
PID 4644 wrote to memory of 4124	4644	msedge.exe	83
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1040	4644	msedge.exe	84
PID 4644 wrote to memory of 1532	4644	msedge.exe	85
PID 4644 wrote to memory of 1532	4644	msedge.exe	85
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86
PID 4644 wrote to memory of 2320	4644	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://stermcommunity.com/gift/id=7465904
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa14a546f8,0x7ffa14a54708,0x7ffa14a54718
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand STEAM.
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7409174821349402339,5339558477292173027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
  2⤵
  PID:4912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
75ca48cbb779993bd12d050c7b48b109

SHA1
890e3661ec6f87098101762b7140dce491954b7d

SHA256
887a3e2c976d183ce3febe230d41f9d1bc78b5981a2e9f10c7f5f7c4d186bc8a

SHA512
fb782250b52acd2636eed3bbcb6d1a9159bcbfcaebd1fc7108c6eef70d73903a9785145597739cd09ee84de0754ab2d3b778fbc40141f59119b5465edaa56725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
256051f5bc752f66c58c37f88b9902c2

SHA1
fca6a264bd54d04a4abf6d2235d398e15019a2c8

SHA256
4b685f75befaf127498ad56aac3de4ffed3e1c6c81ec176ccb379af7eba01b12

SHA512
528902ec8bf6067a8f253d7378631517ea4654ab3c46b50ab2d68b89cc0a4eeb2593b842211e992751bda933f2eb00be44ed116d0df287c8b37b828d5532bf8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e7016dd3aa15356ab0518bc932ae8752

SHA1
402e097495577d4c8a3f12d1196370a2a135dddd

SHA256
66ec010b1dec6d23467168ec47211eb55e48d209e16242f2d4ca42ac3f4682be

SHA512
1ca10ee3a8ca7eb86b2f23f8598471e34e56ff954b8be8ae2f731f3346c3604be904ce0b77f3e09cae4b362295b1198fa87e42873242ec365b0c4288feee692d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b85db45afd090662710f7097838d5c6

SHA1
b6fdca46a5b0f8c4d65b2181f47293839fbabe67

SHA256
fafd36d9dd3f6827d7fb2bfe0a8a9c08fa293291c9d4cfeaacb5f5dd7a6acfb5

SHA512
07aa7c255f69fe5b349482e59b8e59fca0b34e7055d1d65ce3ca3a65e7fffb4fe04d96ca4c8e5bdfc8fc0487285ba9cb4577ac9a874b845e359c60879e4ce033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb7128f6b0956e682009b5f33dfd085f

SHA1
9fb85ed1b1eb9bd0893cd5b09e6f56acaae09bb1

SHA256
19c7bdb87fb1ae72774adeafeba5aa1d14a6244b73ec868e2579b4c89d3bca35

SHA512
502b786edfaf74759df01f0e5776cdc92469d13b9e57c39fa1b742f75abada7c759299a643ede549bd34fb7f9d50e9bd5210c2e6fee2f4d935d283b56993314c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92228a89000b77c981cede265ffd3723

SHA1
1faa6c19adf26270f190fc34fe78f52a732923e0

SHA256
aa196087a1603bcdb7f79e5da5d26fd9a0f7ad6c012481498ef93fddb8431a53

SHA512
ddc78ee6bebafe65a01e1be3bb278cf3447504174f45d9516c4d80058e5e8d873b458302b4a557b1430bead5dc82fe49373c1dfaaf5781dd2cda723ee857d22d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
581de71d9b66e8f656c208071c024ecd

SHA1
36ae27a93f4f05b61f670808bf8e41f0f181ee85

SHA256
71a27f515010547d2c55fa2dcb116db74b97592a8d355025e148ba6455ca48d4

SHA512
e9c067d6a58f030bd813fb9e64cb76c0357f82b71a99abb0b8923b5da36a13b6356675b8b96478e7688dec8cf7a7ef0272fbbdb63a0863d51db41cc0b345a8da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58487e.TMP

Filesize
707B

MD5
8026d051c0a7205940e38415a7c4732d

SHA1
8c479747aae3cae27d9814009c7d22046d0d4526

SHA256
48c48f9afe306e26b7315ae3bc562ef7af7e796240049eea2cb5028e1267c061

SHA512
78723e36f97bcad96d9977c3967e08fcc49b4c5328f0bbd7083f19ef6c465f97c8dab3225e4debf5cd42764bde0a9297497ae2009fbf8eccf832a3a4c51ab2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c8858c52e2b378e53e3e604fa2ffa42

SHA1
c0d5f1bb4badd87cc20928e080a74533f484065c

SHA256
93d1471af07d0be0e5850b1475c74b18af55d03af176f0ba6fb59a59609f4541

SHA512
866a02a91e2f6bceb0ba860671366dc6356761c8189fdf5b88c05e44cf88b0547d86ee2a5eef13715dead8322d8aeaec8721e5851d390ed3c988a7470f364d09

Download Submit