golddragon | a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b

General

Target

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
Size

421KB
MD5

ffff18fc7c2166c2a1a3c3d8bbd95ba1
SHA1

7af27ee542f599e4b68a032bc43295eec03c1e0e
SHA256

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b
SHA512

3a36a1b6cf4b933cc546157b51a48e0b87fd1bc9fc41b5763500ecf89fca7017e2fdc721593ff6eaa2607b434c4d0133132460f1d090d5f459905f410a4c1435

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1748	systeminfo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	28
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	28
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	28
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	28
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	31
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	31
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	31
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	31
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	33
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	33
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	33
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	33
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	35
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	35
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	35
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	35
PID 1516 wrote to memory of 1748	1516	cmd.exe	37
PID 1516 wrote to memory of 1748	1516	cmd.exe	37
PID 1516 wrote to memory of 1748	1516	cmd.exe	37
PID 1516 wrote to memory of 1748	1516	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
"C:\Users\Admin\AppData\Local\Temp\a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-59-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing