Overview

overview

10

Static

static

10

3903958eb2...d5.dll

windows7_x64

10

3903958eb2...d5.dll

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-11-2021 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5.dll

  • Size

    481KB

  • MD5

    e647b3366dc836c1f63bdc5ba2aef3a9

  • SHA1

    a7b0711b45081768817e85d6fc76e23093093f87

  • SHA256

    3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5

  • SHA512

    39166d31017b238b4cae861ab263e3dd11260c0203fc8dcfd41461f3b850126ba954bcf9fb7678ceb63dc2e2f252bd6e20f7f33aed1a81db8c0d89c56be5dfcb

Score
10/10
golddragonbackdoorpersistencespywarestealer

Malware Config

Signatures

  • GoldDragon

    GoldDragon is a second-stage backdoor attributed to Kimsuky.

    backdoorgolddragon
  • GoldDragon 2021 Stage2 infostealer 3 IoCs

    Detect GoldDragon InfoStealer Stage 2.

    stealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5.dll,#1
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im daumcleaner.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im daumcleaner.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:1100
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
            PID:1148
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3996
          • C:\Windows\SysWOW64\systeminfo.exe
            systeminfo
            4⤵
            • Gathers system information
            PID:620
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2372
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1208

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Process Discovery

    1
    T1057

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat
      MD5

      48af694199ef9ddf593fcd19b288dc58

      SHA1

      7340622bda45e10f7046ba6391cdcadf7ebf51c9

      SHA256

      7cd357a5708cd8621923e1e095b5e981a50a9c695cb164fc653bd24bea4ea1a9

      SHA512

      fa0691eaad7e050166402222e640602cc3f24245fb699a89a52a6e98cd82e722d02a5f369ff1556ebacfda74920f3cdb9198177887575a27634506c893b2dfa8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat
      MD5

      823dcc04042f33b7fa3340ca72a5226a

      SHA1

      44e31ab3d1377120c90c8e82805987e9435d3b5b

      SHA256

      fa4ab1aa6838e8344211b78ec41ecd3dcd84c4d04b578d2008e2f8f68fda820c

      SHA512

      e1707a37bde300ecb62ed762d4b219c03c500675c60eeb7a5619b9d7209d38344977ca2c1f86fca9a21b972e59bafae01633d14de4b9ffc96b603010603cc30e

      Download Submit
    • memory/620-123-0x0000000000000000-mapping.dmp
      Download
    • memory/1100-119-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-117-0x0000000000000000-mapping.dmp
      Download
    • memory/1148-120-0x0000000000000000-mapping.dmp
      Download
    • memory/1208-128-0x00000000008ECC77-mapping.dmp
      Download
    • memory/1208-129-0x00000000008E0000-0x0000000000939000-memory.dmp
      Filesize

      356KB

      Download
    • memory/1208-127-0x00000000008E0000-0x0000000000939000-memory.dmp
      Filesize

      356KB

      Download
    • memory/2120-116-0x0000000000000000-mapping.dmp
      Download
    • memory/2268-115-0x0000000000000000-mapping.dmp
      Download
    • memory/2372-126-0x0000000000000000-mapping.dmp
      Download
    • memory/2624-124-0x0000000000000000-mapping.dmp
      Download
    • memory/3092-118-0x0000000000000000-mapping.dmp
      Download
    • memory/3996-121-0x0000000000000000-mapping.dmp
      Download