golddragon | 386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-03-2022 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8.dll
Size

271KB
MD5

a49c43b4d6b5610e0719a3947b9ecf8f
SHA1

392883730fb2e9146a565a298d980632bde30650
SHA256

386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8
SHA512

3d9680fa03a1fee9e64904f4108517a8de3e37976490b04bc717ea1e5b23cfec89ab3fe295e61e24b6617a5a5b15564ffb598785b32828c89f1b3e92e5f525f0

Score

10^/10

golddragon backdoor suricata vmprotect

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	1436	rundll32.exe
13	1436	rundll32.exe
32	1436	rundll32.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1436-130-0x0000000075350000-0x0000000075454000-memory.dmp	vmprotect

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
444	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2972	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	tasklist.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1436	1292	rundll32.exe	80
PID 1292 wrote to memory of 1436	1292	rundll32.exe	80
PID 1292 wrote to memory of 1436	1292	rundll32.exe	80
PID 1436 wrote to memory of 2168	1436	rundll32.exe	81
PID 1436 wrote to memory of 2168	1436	rundll32.exe	81
PID 1436 wrote to memory of 2168	1436	rundll32.exe	81
PID 2168 wrote to memory of 2972	2168	cmd.exe	83
PID 2168 wrote to memory of 2972	2168	cmd.exe	83
PID 2168 wrote to memory of 2972	2168	cmd.exe	83
PID 1436 wrote to memory of 2792	1436	rundll32.exe	84
PID 1436 wrote to memory of 2792	1436	rundll32.exe	84
PID 1436 wrote to memory of 2792	1436	rundll32.exe	84
PID 1436 wrote to memory of 4712	1436	rundll32.exe	86
PID 1436 wrote to memory of 4712	1436	rundll32.exe	86
PID 1436 wrote to memory of 4712	1436	rundll32.exe	86
PID 1436 wrote to memory of 1760	1436	rundll32.exe	88
PID 1436 wrote to memory of 1760	1436	rundll32.exe	88
PID 1436 wrote to memory of 1760	1436	rundll32.exe	88
PID 1760 wrote to memory of 444	1760	cmd.exe	90
PID 1760 wrote to memory of 444	1760	cmd.exe	90
PID 1760 wrote to memory of 444	1760	cmd.exe	90
PID 1436 wrote to memory of 2464	1436	rundll32.exe	92
PID 1436 wrote to memory of 2464	1436	rundll32.exe	92
PID 1436 wrote to memory of 2464	1436	rundll32.exe	92
PID 1436 wrote to memory of 4404	1436	rundll32.exe	94
PID 1436 wrote to memory of 4404	1436	rundll32.exe	94
PID 1436 wrote to memory of 4404	1436	rundll32.exe	94
PID 1436 wrote to memory of 2564	1436	rundll32.exe	96
PID 1436 wrote to memory of 2564	1436	rundll32.exe	96
PID 1436 wrote to memory of 2564	1436	rundll32.exe	96
PID 1436 wrote to memory of 3780	1436	rundll32.exe	98
PID 1436 wrote to memory of 3780	1436	rundll32.exe	98
PID 1436 wrote to memory of 3780	1436	rundll32.exe	98
PID 1436 wrote to memory of 360	1436	rundll32.exe	100
PID 1436 wrote to memory of 360	1436	rundll32.exe	100
PID 1436 wrote to memory of 360	1436	rundll32.exe	100
PID 1436 wrote to memory of 868	1436	rundll32.exe	102
PID 1436 wrote to memory of 868	1436	rundll32.exe	102
PID 1436 wrote to memory of 868	1436	rundll32.exe	102
PID 1436 wrote to memory of 3500	1436	rundll32.exe	104
PID 1436 wrote to memory of 3500	1436	rundll32.exe	104
PID 1436 wrote to memory of 3500	1436	rundll32.exe	104

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\386e23ec5e38c484f0b546b78e2480fc589f74f2233f3bcee060796f87f492d8.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c dir "c:\program files" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c dir "c:\program files (x86)" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:444
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\11.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\12.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\14.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\18.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1436-130-0x0000000075350000-0x0000000075454000-memory.dmp

Filesize
1.0MB

Download