golddragon | 111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d

Analysis

Target

111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d.dll
Size

107KB
MD5

42b9f65fda3cbb613f726c9a4f26069e
SHA1

71f337dc65459027f4ab26198270368f68d7ae77
SHA256

111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d
SHA512

7535e699bf635c87523e014eee62dae61f3545e908ef23e864635f0c39b115a55c2ce87ba120123d82739070a63de3adbdfbd9153c973260e6cfcd15da31fbb2

Score

10^/10

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1624	rundll32.exe
6	1624	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1624	rundll32.exe
1624	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	rundll32.exe
Token: SeDebugPrivilege	1624	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27
PID 1744 wrote to memory of 1624	1744	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\111ab6aa14ef1f8359c59b43778b76c7be5ca72dc1372a3603cd5814bfb2850d.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624

memory/1624-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download