Overview

overview

10

Static

static

8

386e23ec5e...d8.dll

windows7_x64

10

386e23ec5e...d8.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    4294183s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    19-03-2022 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8.dll

  • Size

    271KB

  • MD5

    a49c43b4d6b5610e0719a3947b9ecf8f

  • SHA1

    392883730fb2e9146a565a298d980632bde30650

  • SHA256

    386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8

  • SHA512

    3d9680fa03a1fee9e64904f4108517a8de3e37976490b04bc717ea1e5b23cfec89ab3fe295e61e24b6617a5a5b15564ffb598785b32828c89f1b3e92e5f525f0

Score
10/10
golddragonbackdoorsuricatavmprotect

Malware Config

Signatures

  • GoldDragon

    GoldDragon is a second-stage backdoor attributed to Kimsuky.

    backdoorgolddragon
  • suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND

    suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ipconfig/all >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:1984
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c dir "c:\program files" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
        3⤵
          PID:2016
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c dir "c:\program files (x86)" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
          3⤵
            PID:824
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c tasklist >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1072
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Office\11.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
            3⤵
              PID:1676
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\SOFTWARE\Microsoft\Office\12.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
              3⤵
                PID:280
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\SOFTWARE\Microsoft\Office\14.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                3⤵
                  PID:2008
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                  3⤵
                    PID:1688
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                    3⤵
                      PID:1380
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                      3⤵
                        PID:588
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "HKCU\SOFTWARE\Microsoft\Office\18.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                        3⤵
                          PID:1748
                        • C:\Users\Admin\AppData\Roaming\desktop.exe
                          C:\Users\Admin\AppData\Roaming\desktop.exe
                          3⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1972

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1116-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1116-55-0x0000000074690000-0x0000000074794000-memory.dmp

                      Filesize

                      1.0MB

                      Download