Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll
Resource
win10-en-20211208
General
-
Target
bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll
-
Size
366KB
-
MD5
e69294040dab044805c9d7c47fef4844
-
SHA1
f3a2731e174a68d13b4ae15fab2d7b2788517039
-
SHA256
bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24
-
SHA512
c1a7bc64f9edf804ef7707dd717e7f8d293a607a96b9339e4acf2fdee1b70c643c1987016882620654c709795775042db9461da11cd4b1a016ea98fcd8e20a8c
Malware Config
Signatures
-
GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\schedule = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\exts\\hancom.dll\" Run" rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1536 set thread context of 1992 1536 rundll32.exe 43 -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1712 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1772 ipconfig.exe 1636 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1752 systeminfo.exe -
Kills process with taskkill 1 IoCs
pid Process 664 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1992 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 664 taskkill.exe Token: SeDebugPrivilege 1712 tasklist.exe Token: SeDebugPrivilege 1636 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1488 wrote to memory of 1536 1488 rundll32.exe 27 PID 1536 wrote to memory of 880 1536 rundll32.exe 28 PID 1536 wrote to memory of 880 1536 rundll32.exe 28 PID 1536 wrote to memory of 880 1536 rundll32.exe 28 PID 1536 wrote to memory of 880 1536 rundll32.exe 28 PID 880 wrote to memory of 664 880 cmd.exe 30 PID 880 wrote to memory of 664 880 cmd.exe 30 PID 880 wrote to memory of 664 880 cmd.exe 30 PID 880 wrote to memory of 664 880 cmd.exe 30 PID 1536 wrote to memory of 1780 1536 rundll32.exe 32 PID 1536 wrote to memory of 1780 1536 rundll32.exe 32 PID 1536 wrote to memory of 1780 1536 rundll32.exe 32 PID 1536 wrote to memory of 1780 1536 rundll32.exe 32 PID 1780 wrote to memory of 1772 1780 cmd.exe 34 PID 1780 wrote to memory of 1772 1780 cmd.exe 34 PID 1780 wrote to memory of 1772 1780 cmd.exe 34 PID 1780 wrote to memory of 1772 1780 cmd.exe 34 PID 1780 wrote to memory of 972 1780 cmd.exe 35 PID 1780 wrote to memory of 972 1780 cmd.exe 35 PID 1780 wrote to memory of 972 1780 cmd.exe 35 PID 1780 wrote to memory of 972 1780 cmd.exe 35 PID 1536 wrote to memory of 1928 1536 rundll32.exe 36 PID 1536 wrote to memory of 1928 1536 rundll32.exe 36 PID 1536 wrote to memory of 1928 1536 rundll32.exe 36 PID 1536 wrote to memory of 1928 1536 rundll32.exe 36 PID 1928 wrote to memory of 1752 1928 cmd.exe 38 PID 1928 wrote to memory of 1752 1928 cmd.exe 38 PID 1928 wrote to memory of 1752 1928 cmd.exe 38 PID 1928 wrote to memory of 1752 1928 cmd.exe 38 PID 1536 wrote to memory of 1084 1536 rundll32.exe 40 PID 1536 wrote to memory of 1084 1536 rundll32.exe 40 PID 1536 wrote to memory of 1084 1536 rundll32.exe 40 PID 1536 wrote to memory of 1084 1536 rundll32.exe 40 PID 1084 wrote to memory of 1712 1084 cmd.exe 42 PID 1084 wrote to memory of 1712 1084 cmd.exe 42 PID 1084 wrote to memory of 1712 1084 cmd.exe 42 PID 1084 wrote to memory of 1712 1084 cmd.exe 42 PID 1536 wrote to memory of 1992 1536 rundll32.exe 43 PID 1536 wrote to memory of 1992 1536 rundll32.exe 43 PID 1536 wrote to memory of 1992 1536 rundll32.exe 43 PID 1536 wrote to memory of 1992 1536 rundll32.exe 43 PID 1536 wrote to memory of 1992 1536 rundll32.exe 43 PID 1536 wrote to memory of 1992 1536 rundll32.exe 43 PID 1992 wrote to memory of 1700 1992 svchost.exe 44 PID 1992 wrote to memory of 1700 1992 svchost.exe 44 PID 1992 wrote to memory of 1700 1992 svchost.exe 44 PID 1992 wrote to memory of 1700 1992 svchost.exe 44 PID 1700 wrote to memory of 1636 1700 cmd.exe 46 PID 1700 wrote to memory of 1636 1700 cmd.exe 46 PID 1700 wrote to memory of 1636 1700 cmd.exe 46 PID 1700 wrote to memory of 1636 1700 cmd.exe 46
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll,#12⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im daumcleaner.exe3⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im daumcleaner.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"3⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1772
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵PID:972
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"3⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"3⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"4⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -a5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
-