golddragon | a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b

General

Target

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
Size

421KB
MD5

ffff18fc7c2166c2a1a3c3d8bbd95ba1
SHA1

7af27ee542f599e4b68a032bc43295eec03c1e0e
SHA256

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b
SHA512

3a36a1b6cf4b933cc546157b51a48e0b87fd1bc9fc41b5763500ecf89fca7017e2fdc721593ff6eaa2607b434c4d0133132460f1d090d5f459905f410a4c1435

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1748 systeminfo.exe

pid	process
1748	systeminfo.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1676	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 664	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 556	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1100 wrote to memory of 1516	1100	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 1516 wrote to memory of 1748	1516	cmd.exe	systeminfo.exe
PID 1516 wrote to memory of 1748	1516	cmd.exe	systeminfo.exe
PID 1516 wrote to memory of 1748	1516	cmd.exe	systeminfo.exe
PID 1516 wrote to memory of 1748	1516	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
"C:\Users\Admin\AppData\Local\Temp\a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
d78454a6255fe1cb8d7bbf30e19760a0

SHA1
8d896df9d2891403c528789b4db1bfc5983ddc05

SHA256
9f6f510e547be626f51da665e20792504e2327f7ddcb695edf8504f0bff748ea

SHA512
32227aea9382031d99026c948db8f37f624be4c5b1581bf12822b08bc16691a86b09902ccd0d1b9e83678a9de1b1821af79ca70de4ccf732f3e525468a4d19b4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
15e5856a237c9e8c91672d408887ffe0

SHA1
f787994f52c25df630ca6621e0af035a821a741d

SHA256
b033a69e8bd98113c09f2dea6ff28b0fadfd5a862c29625d073f941acd3e80c0

SHA512
20e3604c0c6e7d6894b5132b796702310d3089b254009882afcc12dbf29b7d42544a8a943edd33c0e1f1c48e7ae78f9f83e82d7679b7475a41fa342b8fd1ac2b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
15e5856a237c9e8c91672d408887ffe0

SHA1
f787994f52c25df630ca6621e0af035a821a741d

SHA256
b033a69e8bd98113c09f2dea6ff28b0fadfd5a862c29625d073f941acd3e80c0

SHA512
20e3604c0c6e7d6894b5132b796702310d3089b254009882afcc12dbf29b7d42544a8a943edd33c0e1f1c48e7ae78f9f83e82d7679b7475a41fa342b8fd1ac2b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
0ba11dd7ebd82acf8eb8d46392972a43

SHA1
78ef34067da15f7e16d5372713c6502fb5604cce

SHA256
1fd23c4af0ab23e2be329b2630b16aa2ad4c7ea5a42ec1ba4553e4f18d5d5505

SHA512
741eb485333fcce39eede7cb5e6ecb5940c380e945760bd6867184a21e83896fd7ce615924c1a6f499afd4a8885ece97b5f049170602045b84e92cea50da0d0e

Download Submit
memory/556-63-0x0000000000000000-mapping.dmp

Download
memory/664-61-0x0000000000000000-mapping.dmp

Download
memory/1100-59-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/1516-65-0x0000000000000000-mapping.dmp

Download
memory/1676-60-0x0000000000000000-mapping.dmp

Download
memory/1748-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing