golddragon | bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24

General

Target

bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll
Size

366KB
MD5

e69294040dab044805c9d7c47fef4844
SHA1

f3a2731e174a68d13b4ae15fab2d7b2788517039
SHA256

bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24
SHA512

c1a7bc64f9edf804ef7707dd717e7f8d293a607a96b9339e4acf2fdee1b70c643c1987016882620654c709795775042db9461da11cd4b1a016ea98fcd8e20a8c

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\schedule = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\exts\\hancom.dll\" Run"	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3176 set thread context of 2324 3176 rundll32.exe svchost.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2968 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

1396 ipconfig.exe
1428 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1268 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1060 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2324 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1060 taskkill.exe
Token: SeDebugPrivilege 2968 tasklist.exe
Token: SeDebugPrivilege 1428 NETSTAT.EXE

description	pid	process	target process
PID 3176 set thread context of 2324	3176	rundll32.exe	svchost.exe

pid	process
2968	tasklist.exe

pid	process
1396	ipconfig.exe
1428	NETSTAT.EXE

pid	process
1268	systeminfo.exe

pid	process
1060	taskkill.exe

pid	process
2324	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	1428	NETSTAT.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 3716 wrote to memory of 3176	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 3176	3716	rundll32.exe	rundll32.exe
PID 3716 wrote to memory of 3176	3716	rundll32.exe	rundll32.exe
PID 3176 wrote to memory of 1172	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 1172	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 1172	3176	rundll32.exe	cmd.exe
PID 1172 wrote to memory of 1060	1172	cmd.exe	taskkill.exe
PID 1172 wrote to memory of 1060	1172	cmd.exe	taskkill.exe
PID 1172 wrote to memory of 1060	1172	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 728	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 728	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 728	3176	rundll32.exe	cmd.exe
PID 728 wrote to memory of 1396	728	cmd.exe	ipconfig.exe
PID 728 wrote to memory of 1396	728	cmd.exe	ipconfig.exe
PID 728 wrote to memory of 1396	728	cmd.exe	ipconfig.exe
PID 728 wrote to memory of 1392	728	cmd.exe	ARP.EXE
PID 728 wrote to memory of 1392	728	cmd.exe	ARP.EXE
PID 728 wrote to memory of 1392	728	cmd.exe	ARP.EXE
PID 3176 wrote to memory of 2840	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 2840	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 2840	3176	rundll32.exe	cmd.exe
PID 2840 wrote to memory of 1268	2840	cmd.exe	systeminfo.exe
PID 2840 wrote to memory of 1268	2840	cmd.exe	systeminfo.exe
PID 2840 wrote to memory of 1268	2840	cmd.exe	systeminfo.exe
PID 3176 wrote to memory of 1716	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 1716	3176	rundll32.exe	cmd.exe
PID 3176 wrote to memory of 1716	3176	rundll32.exe	cmd.exe
PID 1716 wrote to memory of 2968	1716	cmd.exe	tasklist.exe
PID 1716 wrote to memory of 2968	1716	cmd.exe	tasklist.exe
PID 1716 wrote to memory of 2968	1716	cmd.exe	tasklist.exe
PID 3176 wrote to memory of 2324	3176	rundll32.exe	svchost.exe
PID 3176 wrote to memory of 2324	3176	rundll32.exe	svchost.exe
PID 3176 wrote to memory of 2324	3176	rundll32.exe	svchost.exe
PID 3176 wrote to memory of 2324	3176	rundll32.exe	svchost.exe
PID 3176 wrote to memory of 2324	3176	rundll32.exe	svchost.exe
PID 2324 wrote to memory of 1244	2324	svchost.exe	cmd.exe
PID 2324 wrote to memory of 1244	2324	svchost.exe	cmd.exe
PID 2324 wrote to memory of 1244	2324	svchost.exe	cmd.exe
PID 1244 wrote to memory of 1428	1244	cmd.exe	NETSTAT.EXE
PID 1244 wrote to memory of 1428	1244	cmd.exe	NETSTAT.EXE
PID 1244 wrote to memory of 1428	1244	cmd.exe	NETSTAT.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb0a3c784e55bd25f845644b69c57e3e470af51983617fdfe7ba5d253019ed24.bin.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1396
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Process Discovery

1

T1057

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

MD5
bf2a29b5ef2fe2d2617964d3faa07140

SHA1
84b9027103b17a532568152710187c74dab2b40a

SHA256
e34d453c791304be0c40e250b587b78e3f810858955c4f2a8b11203b014bd1cf

SHA512
d82c87910f1c5e7de243c76d2d79d78cf598463f21ddd22e91d3ba0a8216b86f1ca8ff48ed9733e98343da8e0b593321ff0d704ed72e54e31d8b518c2e325d80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

MD5
1a172b8163dcbd357e9fd93259032607

SHA1
9948761dd8f463e114c85e2840f99fdc5e7246e6

SHA256
2021e0d1d7b988924df0b8edfff9610d11a18667e3b88f026d0e368dbd9c5d23

SHA512
256fe7e847ff055ddc57cc711b370eccd294a84a956e4b3d88dc843645ae2a08f0f64cd0121b0a29f8ea2a2c255aedcc8de73fc00ca41cbe003fc5d4de307f19

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.db

MD5
fcc4b7198ccada4682a8f9ad3796b14f

SHA1
42088b205863baa690b59b09e9984da29bbf2bbf

SHA256
ab501b83df9c8d4ac14047b0ae99f565711d3e1c1d617b0f644bb03d2e56ebd5

SHA512
1ef5e0e4e3aafdea6e72374286b01ba50ff1649a272749d5f266d52ab523c77f0f71d93da42f61c55360460fec437fb431b8bc3986eeb3618086cabf8caed8e0

Download Submit
memory/728-121-0x0000000000000000-mapping.dmp

Download
memory/1060-120-0x0000000000000000-mapping.dmp

Download
memory/1172-119-0x0000000000000000-mapping.dmp

Download
memory/1244-133-0x0000000000000000-mapping.dmp

Download
memory/1268-126-0x0000000000000000-mapping.dmp

Download
memory/1392-123-0x0000000000000000-mapping.dmp

Download
memory/1396-122-0x0000000000000000-mapping.dmp

Download
memory/1428-134-0x0000000000000000-mapping.dmp

Download
memory/1716-127-0x0000000000000000-mapping.dmp

Download
memory/2324-130-0x0000000002400000-0x000000000245A000-memory.dmp

Filesize
360KB

Download
memory/2324-131-0x000000000240D527-mapping.dmp

Download
memory/2324-132-0x0000000002400000-0x000000000245A000-memory.dmp

Filesize
360KB

Download
memory/2840-124-0x0000000000000000-mapping.dmp

Download
memory/2968-129-0x0000000000000000-mapping.dmp

Download
memory/3176-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing