golddragon | 70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569

General

Target

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
Size

487KB
MD5

dd15c9f2669bce96098b3f7fa791c87d
SHA1

51d4122fa2c6ba1fea93845b28f5f872fe64d394
SHA256

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569
SHA512

f26aa6c7375af8fee7d6508dec9d8505f82fdab424bc76fbc6a02919101ccbde059b73d1c4ae1e49f2e252b6f07c4091882674a5cfb039988a68d8f638c8cb23

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1060	systeminfo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	26
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	26
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	26
PID 1644 wrote to memory of 1908	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	26
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	31
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	31
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	31
PID 1644 wrote to memory of 2032	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	31
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	33
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	33
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	33
PID 1644 wrote to memory of 1292	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	33
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	35
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	35
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	35
PID 1644 wrote to memory of 1784	1644	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	35
PID 1784 wrote to memory of 1060	1784	cmd.exe	37
PID 1784 wrote to memory of 1060	1784	cmd.exe	37
PID 1784 wrote to memory of 1060	1784	cmd.exe	37
PID 1784 wrote to memory of 1060	1784	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
"C:\Users\Admin\AppData\Local\Temp\70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-60-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing