golddragon | c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82

General

Target

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
Size

100KB
MD5

c605b7c3e4c339642db6a33c5780b49b
SHA1

c2f01355880cd9dfeef75cff189f4a8af421e0d3
SHA256

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82
SHA512

02ad68001d5e7754469584dd833ec902f56fd68222937819a5174450d18dc037cbcfdd8df770365d452519ef4c9081ecfd19e38f08fda2f78c441a1062a9cb26

Score

10^/10

golddragon backdoor

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1040 tasklist.exe
1900 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

580 systeminfo.exe

pid	process
1040	tasklist.exe
1900	tasklist.exe

pid	process
580	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1220	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	1900	tasklist.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.execmd.exe

description	pid	process	target process
PID 1220 wrote to memory of 584	1220	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 1220 wrote to memory of 584	1220	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 1220 wrote to memory of 584	1220	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 1220 wrote to memory of 584	1220	c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe	cmd.exe
PID 584 wrote to memory of 580	584	cmd.exe	systeminfo.exe
PID 584 wrote to memory of 580	584	cmd.exe	systeminfo.exe
PID 584 wrote to memory of 580	584	cmd.exe	systeminfo.exe
PID 584 wrote to memory of 580	584	cmd.exe	systeminfo.exe
PID 584 wrote to memory of 1040	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1040	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1040	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1040	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1900	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1900	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1900	584	cmd.exe	tasklist.exe
PID 584 wrote to memory of 1900	584	cmd.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe
"C:\Users\Admin\AppData\Local\Temp\c54837d0b856205bd4ae01887aae9178f55f16e0e1a1e1ff59bd18dbc8a3dd82.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:580
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /M
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

MD5
24431cca984d119621b085829a0fc3e1

SHA1
b451b5cdff61516524fca5a1cc810ca8851206d5

SHA256
81ce17bc245cd32f2b04397d23528068c076f9e71fa163b1e900a5732c6db46e

SHA512
57ce62199fe56cf8008c1eb8f310c6a9a534867abe6f432d208328c9f7cab2cb4fad3af1f6b11716e2861e863f84bc988cfb903a8a333a180225967bb0051972

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Network\ixeo584.bin

MD5
7b29211bd7accc726719ec90e6acc717

SHA1
78c88f10123e1ddc78698c7625a8af3c87d5674f

SHA256
aa60b4108e5cfa9f1943e757a5af3bee7c29ef9a49db90577be705ce8f40929d

SHA512
c23f49ef91d2d5d8b7c4ce770359af20bad1216eb190cc548114826163ba171b211355a5d9304aa830d68bef2c0ea44643fb09d5123a3e4f89dc848a79ec8255

Download Submit
memory/1220-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing