Analysis
-
max time kernel
184s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
gold.exe
Resource
win7-20240611-en
General
-
Target
gold.exe
-
Size
342KB
-
MD5
b769a45330b8bb61879f95faab68a297
-
SHA1
085bab79dba61f06651d9904a0966059678f7abb
-
SHA256
c18119713c678bbea78db54da4099ec7c5ff05e06b9c2904f08e9a2bca0219aa
-
SHA512
2841523621dfc463d6256fc6b91daec3861d61e8122b8b912c0da4642d721ad34aca6a8dce8deabcf46d3bfc7f31ceca7bef743ecfe4ea1b0378c28f6b8ca30d
-
SSDEEP
6144:fsBkCMuffjLfszRU97qtC9iSxHdP5wpSga10RMm5agGUn4lshyfS0W6yVqtAknTv:fsBkhuHjLEz6JifSJdP5wp/a1KvGkNhY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2716 Client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gold.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\gold.exe\"" gold.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
gold.exeClient.exedescription ioc process File created C:\Program Files (x86)\SubDir\Client.exe gold.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe gold.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2956 schtasks.exe 2780 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gold.exeClient.exedescription pid process Token: SeDebugPrivilege 2924 gold.exe Token: SeDebugPrivilege 2716 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2716 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
gold.exeClient.exedescription pid process target process PID 2924 wrote to memory of 2956 2924 gold.exe schtasks.exe PID 2924 wrote to memory of 2956 2924 gold.exe schtasks.exe PID 2924 wrote to memory of 2956 2924 gold.exe schtasks.exe PID 2924 wrote to memory of 2716 2924 gold.exe Client.exe PID 2924 wrote to memory of 2716 2924 gold.exe Client.exe PID 2924 wrote to memory of 2716 2924 gold.exe Client.exe PID 2716 wrote to memory of 2780 2716 Client.exe schtasks.exe PID 2716 wrote to memory of 2780 2716 Client.exe schtasks.exe PID 2716 wrote to memory of 2780 2716 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gold.exe"C:\Users\Admin\AppData\Local\Temp\gold.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gold.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SubDir\Client.exeFilesize
342KB
MD5b769a45330b8bb61879f95faab68a297
SHA1085bab79dba61f06651d9904a0966059678f7abb
SHA256c18119713c678bbea78db54da4099ec7c5ff05e06b9c2904f08e9a2bca0219aa
SHA5122841523621dfc463d6256fc6b91daec3861d61e8122b8b912c0da4642d721ad34aca6a8dce8deabcf46d3bfc7f31ceca7bef743ecfe4ea1b0378c28f6b8ca30d
-
memory/2716-9-0x00000000013E0000-0x00000000013E8000-memory.dmpFilesize
32KB
-
memory/2716-10-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB
-
memory/2716-11-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB
-
memory/2716-14-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB
-
memory/2716-15-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB
-
memory/2924-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmpFilesize
4KB
-
memory/2924-1-0x0000000001160000-0x0000000001168000-memory.dmpFilesize
32KB
-
memory/2924-2-0x0000000000BA0000-0x0000000000C3E000-memory.dmpFilesize
632KB
-
memory/2924-3-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB
-
memory/2924-12-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmpFilesize
9.9MB