golddragon | 51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4 | Triage

Analysis

max time kernel
122s
max time network
151s
platform
windows7_x64
resource
win7-en-20211014
submitted
03-11-2021 12:26

Sharing

Report Analysis Logs

General

Target

51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4.exe
Size

79KB
MD5

4f01950be1af645812ef894060589297
SHA1

6eb40d133e27baff5b907e561cfe44112b776dda
SHA256

51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4
SHA512

ae5c95f718e9416fb0b477edfb6a6ff9a82b5506a8f757e33311432b55eaad1316268b7afe20da2e2b031c259c990cf93fc02ed1bc639060de25711822af4027

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1640	51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4.exe

C:\Users\Admin\AppData\Local\Temp\51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4.exe
"C:\Users\Admin\AppData\Local\Temp\51e8ac86d15128644d5a6432b41ec16d7ec6d6825852a1809f4f09369c0591b4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-55-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download