golddragon | a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b

General

Target

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
Size

421KB
MD5

ffff18fc7c2166c2a1a3c3d8bbd95ba1
SHA1

7af27ee542f599e4b68a032bc43295eec03c1e0e
SHA256

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b
SHA512

3a36a1b6cf4b933cc546157b51a48e0b87fd1bc9fc41b5763500ecf89fca7017e2fdc721593ff6eaa2607b434c4d0133132460f1d090d5f459905f410a4c1435

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3404 systeminfo.exe

pid	process
3404	systeminfo.exe

Modifies registry class 2 IoCs

Processes:

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2412 OpenWith.exe

pid	process
2412	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.execmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 360	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 360	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 360	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 1680	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 1680	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 1680	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 4004	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 4004	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 4004	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 3576	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 3576	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3944 wrote to memory of 3576	3944	a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe	cmd.exe
PID 3576 wrote to memory of 3404	3576	cmd.exe	systeminfo.exe
PID 3576 wrote to memory of 3404	3576	cmd.exe	systeminfo.exe
PID 3576 wrote to memory of 3404	3576	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe
"C:\Users\Admin\AppData\Local\Temp\a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:3404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
c1706c099792d9dbd726126bb0c340bd

SHA1
332eae2df15bbef6e93c69d7399d080a6f32ed63

SHA256
1f7445a20ec674511b9db443d84976a1a8a809a68fb0763ae57472f76a23a49b

SHA512
dd7373ec10d56fc2e8953cd70d9482cc97fa5e04f20e695669d96cbb95aa6fcb2a066b8d1ffb81cd361a2edad963a210170216bdb45ca96e4f78171eb619a50d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
0ee595c2c26b1f151f902109ca6e41f9

SHA1
db8a97c513feb9d75dab9cf0452420452db96281

SHA256
eddb7c2f79c3c5e5dfe3be2da6bed3902e02e3d9cc847aac774e3ad2b648a9d1

SHA512
d6e29915e4746a0c88194c5bac3f063da4329e61878b7d073b658b4aa875b71ce02391f342d6946cc8a92e0e3b12e699f4c576b2ff7697b0296c2ab2065463f9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
eab7073f58b7e0a0f1138e1fc98068b7

SHA1
131f16b0c5b6c55baecf9ec4fed6a892f634f0ef

SHA256
2db16da31cebeeb268bc571307fd27de7d417de7383558556652f6374dd4b744

SHA512
0ec25b2ea64d044b4526d1e7dddf1fee85e400286110472ad15dec36c19929ca8b500ace1941beb2075cf58b1c8740aa47a8cac287c3f9f35f13b3072aeee612

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

MD5
e2f754c7a5485d735fe696f9a52958d7

SHA1
65b1ec88af8e6164ec7320b187ae020fe8becb51

SHA256
8e4b386bcda34d599dabfc9de9aac2d3e19e751be293dcfa30d95a6aece9d704

SHA512
a6fa74803e65bdc586ad1e94575fb14ab202bbd50744989e50885a336445d312681bb0c1779655dd302801a7b9bda98f1ef6ef8106420abe412223a70a134022

Download Submit
memory/360-114-0x0000000000000000-mapping.dmp

Download
memory/1680-115-0x0000000000000000-mapping.dmp

Download
memory/3404-121-0x0000000000000000-mapping.dmp

Download
memory/3576-119-0x0000000000000000-mapping.dmp

Download
memory/4004-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing