eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905

General

Target

HVCI/Steam.exe
Size

15.9MB
MD5

8aac8c3763433c4633f9df18099454d8
SHA1

488b942dc7da1066a2ca1531319dd91828501b44
SHA256

841b830d52ffa466dcf7bc00f47f9097634782b4028ecc512ffb0ffb49107a92
SHA512

200aabc46b9d25952906e3f6badab8802dd6fe2d3be598e92792ffdb6c2834042921ae441aae4c6cb8e51b9e1fadd2ad1a30f21ef7d0ff38da002b7b1ed96e7b
SSDEEP

393216:BYSiS7PfvNPUBiLB1VSNq/+FEQ7jPeF7Bp6ibY4Tj:BYiXvFUxQO2np6UTj

Score

9^/10

defense_evasion discovery execution persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Steam.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 2 IoCs

flow	pid	Process
27	4748	Process not Found
35	1600	Process not Found

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Steam.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral9/memory/1212-1-0x0000000140000000-0x00000001428F1000-memory.dmp	themida
behavioral9/memory/1212-2-0x0000000140000000-0x00000001428F1000-memory.dmp	themida
behavioral9/memory/1212-3-0x0000000140000000-0x00000001428F1000-memory.dmp	themida
behavioral9/memory/1212-4-0x0000000140000000-0x00000001428F1000-memory.dmp	themida
behavioral9/memory/1212-6-0x0000000140000000-0x00000001428F1000-memory.dmp	themida
behavioral9/memory/1212-7-0x0000000140000000-0x00000001428F1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Steam.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1212	Steam.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\security\InkLa1n.sys	Steam.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1824	sc.exe
1296	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4288	MicrosoftEdgeUpdate.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	Steam.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1296	1212	Steam.exe	85
PID 1212 wrote to memory of 1296	1212	Steam.exe	85
PID 1212 wrote to memory of 1824	1212	Steam.exe	87
PID 1212 wrote to memory of 1824	1212	Steam.exe	87

C:\Users\Admin\AppData\Local\Temp\HVCI\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\HVCI\Steam.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" create InkLa1n binPath="C:\Windows\security\InkLa1n.sys" type=kernel
  2⤵
  - Launches sc.exe
  PID:1296
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" start InkLa1n
  2⤵
  - Launches sc.exe
  PID:1824

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzA0NUZBMUYtOUQ4Qi00MzRDLUJCRUEtRkZEQjBCMzZEMEIyfSIgdXNlcmlkPSJ7RjZDNzE2MjgtOEZDOC00RkEwLUI4RUEtN0I5RDI4REU0OTQ5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjFEMjgyMTEtRjJDQy00QzUxLUFBQkMtNDBDN0Y5NEVGMkM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM2MzMyMDkwNSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-0-0x00007FFBC76F1000-0x00007FFBC76F3000-memory.dmp

Filesize
8KB

Download
memory/1212-1-0x0000000140000000-0x00000001428F1000-memory.dmp

Filesize
40.9MB

Download
memory/1212-2-0x0000000140000000-0x00000001428F1000-memory.dmp

Filesize
40.9MB

Download
memory/1212-3-0x0000000140000000-0x00000001428F1000-memory.dmp

Filesize
40.9MB

Download
memory/1212-4-0x0000000140000000-0x00000001428F1000-memory.dmp

Filesize
40.9MB

Download
memory/1212-6-0x0000000140000000-0x00000001428F1000-memory.dmp

Filesize
40.9MB

Download
memory/1212-7-0x0000000140000000-0x00000001428F1000-memory.dmp

Filesize
40.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads