Analysis
-
max time kernel
189s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
gold.exe
Resource
win7-20240611-en
General
-
Target
gold.exe
-
Size
342KB
-
MD5
b769a45330b8bb61879f95faab68a297
-
SHA1
085bab79dba61f06651d9904a0966059678f7abb
-
SHA256
c18119713c678bbea78db54da4099ec7c5ff05e06b9c2904f08e9a2bca0219aa
-
SHA512
2841523621dfc463d6256fc6b91daec3861d61e8122b8b912c0da4642d721ad34aca6a8dce8deabcf46d3bfc7f31ceca7bef743ecfe4ea1b0378c28f6b8ca30d
-
SSDEEP
6144:fsBkCMuffjLfszRU97qtC9iSxHdP5wpSga10RMm5agGUn4lshyfS0W6yVqtAknTv:fsBkhuHjLEz6JifSJdP5wp/a1KvGkNhY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 4244 Client.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
gold.exeClient.exedescription ioc process File created C:\Program Files (x86)\SubDir\Client.exe gold.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe gold.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe Client.exe File opened for modification C:\Program Files (x86)\SubDir Client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2500 schtasks.exe 1836 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gold.exeClient.exedescription pid process Token: SeDebugPrivilege 4220 gold.exe Token: SeDebugPrivilege 4244 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 4244 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
gold.exeClient.exedescription pid process target process PID 4220 wrote to memory of 2500 4220 gold.exe schtasks.exe PID 4220 wrote to memory of 2500 4220 gold.exe schtasks.exe PID 4220 wrote to memory of 4244 4220 gold.exe Client.exe PID 4220 wrote to memory of 4244 4220 gold.exe Client.exe PID 4244 wrote to memory of 1836 4244 Client.exe schtasks.exe PID 4244 wrote to memory of 1836 4244 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gold.exe"C:\Users\Admin\AppData\Local\Temp\gold.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gold.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2500 -
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342KB
MD5b769a45330b8bb61879f95faab68a297
SHA1085bab79dba61f06651d9904a0966059678f7abb
SHA256c18119713c678bbea78db54da4099ec7c5ff05e06b9c2904f08e9a2bca0219aa
SHA5122841523621dfc463d6256fc6b91daec3861d61e8122b8b912c0da4642d721ad34aca6a8dce8deabcf46d3bfc7f31ceca7bef743ecfe4ea1b0378c28f6b8ca30d