golddragon | 70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569

General

Target

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
Size

487KB
MD5

dd15c9f2669bce96098b3f7fa791c87d
SHA1

51d4122fa2c6ba1fea93845b28f5f872fe64d394
SHA256

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569
SHA512

f26aa6c7375af8fee7d6508dec9d8505f82fdab424bc76fbc6a02919101ccbde059b73d1c4ae1e49f2e252b6f07c4091882674a5cfb039988a68d8f638c8cb23

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1060 systeminfo.exe

pid	process
1060	systeminfo.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 1784 wrote to memory of 1060	1784	cmd.exe	systeminfo.exe
PID 1784 wrote to memory of 1060	1784	cmd.exe	systeminfo.exe
PID 1784 wrote to memory of 1060	1784	cmd.exe	systeminfo.exe
PID 1784 wrote to memory of 1060	1784	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
"C:\Users\Admin\AppData\Local\Temp\70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
c20cff16d4d6d92395427c1b6644ada0

SHA1
96973c34d87ff0e4c0c38929c6241bafcd27b080

SHA256
40e11799265b79540139b935e0aa4d6336ece4fb48f5bdb604c7bec9cc26630b

SHA512
5d0d3d2a2708c6612618d9cc81e8fb04230af7d415881660caab784f7e703a24ddbc11e38a14db1f31b96239b99b96e58d9042276452ccc5965faa66810a0884

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
52f085cd779c06ed67d7bcad1115af8d

SHA1
59f951d16f8085574cf17015a5fa43082203d055

SHA256
af742524111ae7207ef3449c47e43d0955af20455d3f8f5afc3e3f24d5249107

SHA512
aca40144015059fbe6c8081cfe368adb8c7818f558f19480c61c9d062dbd5bc1770828affc00c92049f83d1cb1733d6f7815733a54466c0fe648562da4ab1da1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
52f085cd779c06ed67d7bcad1115af8d

SHA1
59f951d16f8085574cf17015a5fa43082203d055

SHA256
af742524111ae7207ef3449c47e43d0955af20455d3f8f5afc3e3f24d5249107

SHA512
aca40144015059fbe6c8081cfe368adb8c7818f558f19480c61c9d062dbd5bc1770828affc00c92049f83d1cb1733d6f7815733a54466c0fe648562da4ab1da1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
cd91289c21261ce818929fbc9592f970

SHA1
2768eab6942277a7b23f0a6189b259850e2dd902

SHA256
f8eec4ffeed9b4e8505c0ab454e4d23c862650d5ad93b4b13bf749a2a8c79aaa

SHA512
9fba3568a1eed076680bc9ed82d0b16f4f26f430ddb44350ecacccba8d3b3ce4baecf59708192d8606fa97fb06cc54ff2a0be274b5020554a3117d0443fd6327

Download Submit
memory/1060-68-0x0000000000000000-mapping.dmp

Download
memory/1292-64-0x0000000000000000-mapping.dmp

Download
memory/1644-60-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1784-66-0x0000000000000000-mapping.dmp

Download
memory/1908-61-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing