golddragon | 3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5

General

Target

3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5.dll
Size

481KB
MD5

e647b3366dc836c1f63bdc5ba2aef3a9
SHA1

a7b0711b45081768817e85d6fc76e23093093f87
SHA256

3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5
SHA512

39166d31017b238b4cae861ab263e3dd11260c0203fc8dcfd41461f3b850126ba954bcf9fb7678ceb63dc2e2f252bd6e20f7f33aed1a81db8c0d89c56be5dfcb

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage2 infostealer 3 IoCs

Detect GoldDragon InfoStealer Stage 2.

stealer

Processes:

resource	yara_rule
behavioral1/memory/1828-71-0x00000000000CCC77-mapping.dmp	golddragon_stage2
behavioral1/memory/1828-70-0x00000000000C0000-0x0000000000119000-memory.dmp	golddragon_stage2
behavioral1/memory/1828-73-0x00000000000C0000-0x0000000000119000-memory.dmp	golddragon_stage2

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\dropbox = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\OneDriver\\down\\OneDrivecache.dll\" Run"	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 472 set thread context of 1828 472 rundll32.exe svchost.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

864 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1076 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1524 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1440 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1828 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1440 taskkill.exe
Token: SeDebugPrivilege 864 tasklist.exe

description	pid	process	target process
PID 472 set thread context of 1828	472	rundll32.exe	svchost.exe

pid	process
864	tasklist.exe

pid	process
1076	ipconfig.exe

pid	process
1524	systeminfo.exe

pid	process
1440	taskkill.exe

pid	process
1828	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	864	tasklist.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 472	676	rundll32.exe	rundll32.exe
PID 472 wrote to memory of 1072	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1072	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1072	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1072	472	rundll32.exe	cmd.exe
PID 1072 wrote to memory of 1440	1072	cmd.exe	taskkill.exe
PID 1072 wrote to memory of 1440	1072	cmd.exe	taskkill.exe
PID 1072 wrote to memory of 1440	1072	cmd.exe	taskkill.exe
PID 1072 wrote to memory of 1440	1072	cmd.exe	taskkill.exe
PID 472 wrote to memory of 1464	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1464	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1464	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1464	472	rundll32.exe	cmd.exe
PID 1464 wrote to memory of 1076	1464	cmd.exe	ipconfig.exe
PID 1464 wrote to memory of 1076	1464	cmd.exe	ipconfig.exe
PID 1464 wrote to memory of 1076	1464	cmd.exe	ipconfig.exe
PID 1464 wrote to memory of 1076	1464	cmd.exe	ipconfig.exe
PID 1464 wrote to memory of 1104	1464	cmd.exe	ARP.EXE
PID 1464 wrote to memory of 1104	1464	cmd.exe	ARP.EXE
PID 1464 wrote to memory of 1104	1464	cmd.exe	ARP.EXE
PID 1464 wrote to memory of 1104	1464	cmd.exe	ARP.EXE
PID 472 wrote to memory of 1472	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1472	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1472	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1472	472	rundll32.exe	cmd.exe
PID 1472 wrote to memory of 1524	1472	cmd.exe	systeminfo.exe
PID 1472 wrote to memory of 1524	1472	cmd.exe	systeminfo.exe
PID 1472 wrote to memory of 1524	1472	cmd.exe	systeminfo.exe
PID 1472 wrote to memory of 1524	1472	cmd.exe	systeminfo.exe
PID 472 wrote to memory of 1132	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1132	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1132	472	rundll32.exe	cmd.exe
PID 472 wrote to memory of 1132	472	rundll32.exe	cmd.exe
PID 1132 wrote to memory of 864	1132	cmd.exe	tasklist.exe
PID 1132 wrote to memory of 864	1132	cmd.exe	tasklist.exe
PID 1132 wrote to memory of 864	1132	cmd.exe	tasklist.exe
PID 1132 wrote to memory of 864	1132	cmd.exe	tasklist.exe
PID 472 wrote to memory of 1828	472	rundll32.exe	svchost.exe
PID 472 wrote to memory of 1828	472	rundll32.exe	svchost.exe
PID 472 wrote to memory of 1828	472	rundll32.exe	svchost.exe
PID 472 wrote to memory of 1828	472	rundll32.exe	svchost.exe
PID 472 wrote to memory of 1828	472	rundll32.exe	svchost.exe
PID 472 wrote to memory of 1828	472	rundll32.exe	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1076
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:864
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Process Discovery

1

T1057

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

MD5
40fc8c9bded9161a9be043444bd274cd

SHA1
9cd34ab7f636d0efb39714d26936147ebd5278ba

SHA256
ea3edd37e00e02dbb8280988d8bdc083cda5bbe3274b329a81316afdaf8e60df

SHA512
e2807895539efc67bd838dc7fd564b7d0557c4e38d60d20024db90140fb8056efabe820fbb367223d15d25c71bff0f347d072f0108240b7fff0d0de0f95496dd

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

MD5
35795cc4d95e48df78e5748333bdc70e

SHA1
68f56ca4bea24d26cec1c387391962b795149fb4

SHA256
396b63e8a1da5de49c447132ad6c17206702cc4056496488e18bf4a67cd447dc

SHA512
839e05287bfd5bd0ed9f48202f7b7bbc53eb8498e06565e646027fccbf0072eb950e0789de69a822a0a0f93efc43e38c7f9a6a9507e61a5600ac8a9b6a302cf4

Download Submit
memory/472-56-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/472-55-0x0000000000000000-mapping.dmp

Download
memory/864-68-0x0000000000000000-mapping.dmp

Download
memory/1072-57-0x0000000000000000-mapping.dmp

Download
memory/1076-60-0x0000000000000000-mapping.dmp

Download
memory/1104-62-0x0000000000000000-mapping.dmp

Download
memory/1132-66-0x0000000000000000-mapping.dmp

Download
memory/1440-58-0x0000000000000000-mapping.dmp

Download
memory/1464-59-0x0000000000000000-mapping.dmp

Download
memory/1472-63-0x0000000000000000-mapping.dmp

Download
memory/1524-65-0x0000000000000000-mapping.dmp

Download
memory/1828-69-0x00000000000C0000-0x0000000000119000-memory.dmp

Filesize
356KB

Download
memory/1828-71-0x00000000000CCC77-mapping.dmp

Download
memory/1828-70-0x00000000000C0000-0x0000000000119000-memory.dmp

Filesize
356KB

Download
memory/1828-73-0x00000000000C0000-0x0000000000119000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads