golddragon | 70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569

General

Target

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
Size

487KB
MD5

dd15c9f2669bce96098b3f7fa791c87d
SHA1

51d4122fa2c6ba1fea93845b28f5f872fe64d394
SHA256

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569
SHA512

f26aa6c7375af8fee7d6508dec9d8505f82fdab424bc76fbc6a02919101ccbde059b73d1c4ae1e49f2e252b6f07c4091882674a5cfb039988a68d8f638c8cb23

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

408 systeminfo.exe

pid	process
408	systeminfo.exe

Modifies registry class 2 IoCs

Processes:

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

196 OpenWith.exe

pid	process
196	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.execmd.exe

description	pid	process	target process
PID 776 wrote to memory of 2260	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2260	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2260	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 1336	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 1336	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 1336	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2480	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2480	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2480	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2296	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2296	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 776 wrote to memory of 2296	776	70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe	cmd.exe
PID 2296 wrote to memory of 408	2296	cmd.exe	systeminfo.exe
PID 2296 wrote to memory of 408	2296	cmd.exe	systeminfo.exe
PID 2296 wrote to memory of 408	2296	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe
"C:\Users\Admin\AppData\Local\Temp\70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:2480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
58d23ca3666907a37cbf4357f375d1fb

SHA1
fa7c632ffd80bb0043e615182886b4906e48368b

SHA256
824f454186c273407cca7408f12a5c76802c82228f4a7771f711672aac29cf67

SHA512
df3174b379ff4411a9c5908b9bce08c7a9673e8f675fa204b234f03115318f3d48bcb990020938642666356e68b38e821200b2d98b44abd88ca06d8a90614602

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
860d8bea30c4f4429ea0b8b41994bb85

SHA1
54e65298d60520dd9907ee54ac15360f0c2ac223

SHA256
97d77d739340451ba8dcd648aeda62e17d9ce28c1464a3bbde1cf830e7754732

SHA512
0e91099775898847414efb167c7bbe0dc5313756d4d9eaf1ea216b07d6ddf03d87f2b9041eeb9f0b70a80f4572c0e779bfb3c31579cb248080cff8c1142855b8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
860d8bea30c4f4429ea0b8b41994bb85

SHA1
54e65298d60520dd9907ee54ac15360f0c2ac223

SHA256
97d77d739340451ba8dcd648aeda62e17d9ce28c1464a3bbde1cf830e7754732

SHA512
0e91099775898847414efb167c7bbe0dc5313756d4d9eaf1ea216b07d6ddf03d87f2b9041eeb9f0b70a80f4572c0e779bfb3c31579cb248080cff8c1142855b8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
f5394c43998b6bb0cb79dd840a2a1beb

SHA1
0fa358e8a28e3585feaee0efb4c8936ba15e5998

SHA256
205c1cbd6ad6f5b7b388ec8aaf7293727fbeedba069b4ebef312aa1c993ade2b

SHA512
057cd0b23620a36676a45d28e5b78812146e2fbdfa6a4ee7cd6404a74ead52ba0a53eb2576cc7587ac0e3035eea4cb954230fa7be4f94004239ba855c1854cc1

Download Submit
memory/408-121-0x0000000000000000-mapping.dmp

Download
memory/1336-115-0x0000000000000000-mapping.dmp

Download
memory/2260-114-0x0000000000000000-mapping.dmp

Download
memory/2296-119-0x0000000000000000-mapping.dmp

Download
memory/2480-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing