Overview

overview

10

Static

static

111ab6aa14...0d.dll

windows7_x64

10

111ab6aa14...0d.dll

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d.dll

  • Size

    107KB

  • MD5

    42b9f65fda3cbb613f726c9a4f26069e

  • SHA1

    71f337dc65459027f4ab26198270368f68d7ae77

  • SHA256

    111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d

  • SHA512

    7535e699bf635c87523e014eee62dae61f3545e908ef23e864635f0c39b115a55c2ce87ba120123d82739070a63de3adbdfbd9153c973260e6cfcd15da31fbb2

Score
10/10
golddragonbackdoor

Malware Config

Signatures

  • GoldDragon

    GoldDragon is a second-stage backdoor attributed to Kimsuky.

    backdoorgolddragon
  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1624-54-0x0000000075761000-0x0000000075763000-memory.dmp

    Filesize

    8KB

    Download