goldenspy | 6ea5210f8094ec221afc137bd4224e46528305922d122b7113cd5104cc0de312

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoldenSpy (8).exe
Size

366KB
MD5

09b4079b039d13b47944e4cc7182f96f
SHA1

466a4dff21787949f94678be0c9b5c87e22a0bdc
SHA256

41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3
SHA512

b08d040ed51dfbe846de569973a7d63dc5757db53ef29169ae667f7802a49e3909aba86551ee1a6ab97870084ad06503ac683cd908fc0203b1b16adc16883cee

Score

10^/10

goldenspy backdoor discovery suricata trojan

Malware Config

Signatures

GoldenSpy
Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.
trojan backdoor goldenspy

GoldenSpy Payload 8 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload

suricata: ET MALWARE GoldenSpy Domain Observed
suricata: ET MALWARE GoldenSpy Domain Observed
suricata
Executes dropped EXE 6 IoCs

Processes:

svm.exesvmm.exesvm.exesvm.exesvmm.exesvmm.exe

pid process

880 svm.exe
4324 svmm.exe
4476 svm.exe
1172 svm.exe
3404 svmm.exe
4300 svmm.exe
Loads dropped DLL 4 IoCs

Processes:

GoldenSpy (8).exe

pid process

2068 GoldenSpy (8).exe
2068 GoldenSpy (8).exe
2068 GoldenSpy (8).exe
2068 GoldenSpy (8).exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
880	svm.exe
4324	svmm.exe
4476	svm.exe
1172	svm.exe
3404	svmm.exe
4300	svmm.exe

Drops file in Program Files directory 2 IoCs

Processes:

GoldenSpy (8).exesvm.exe

description	ioc	process
File created	C:\Program Files (x86)\svm\svm.exe	GoldenSpy (8).exe
File opened for modification	C:\Program Files (x86)\svm\log\20220520-svm.log	svm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

Processes:

svm.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

GoldenSpy (8).exesvmm.exesvm.exe

pid	process
2068	GoldenSpy (8).exe
2068	GoldenSpy (8).exe
2068	GoldenSpy (8).exe
2068	GoldenSpy (8).exe
4300	svmm.exe
4300	svmm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe
1172	svm.exe
1172	svm.exe
1172	svm.exe
1172	svm.exe
4300	svmm.exe
4300	svmm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

GoldenSpy (8).exe

description	pid	process	target process
PID 2068 wrote to memory of 880	2068	GoldenSpy (8).exe	svm.exe
PID 2068 wrote to memory of 880	2068	GoldenSpy (8).exe	svm.exe
PID 2068 wrote to memory of 880	2068	GoldenSpy (8).exe	svm.exe
PID 2068 wrote to memory of 4324	2068	GoldenSpy (8).exe	svmm.exe
PID 2068 wrote to memory of 4324	2068	GoldenSpy (8).exe	svmm.exe
PID 2068 wrote to memory of 4324	2068	GoldenSpy (8).exe	svmm.exe
PID 2068 wrote to memory of 4476	2068	GoldenSpy (8).exe	svm.exe
PID 2068 wrote to memory of 4476	2068	GoldenSpy (8).exe	svm.exe
PID 2068 wrote to memory of 4476	2068	GoldenSpy (8).exe	svm.exe
PID 2068 wrote to memory of 3404	2068	GoldenSpy (8).exe	svmm.exe
PID 2068 wrote to memory of 3404	2068	GoldenSpy (8).exe	svmm.exe
PID 2068 wrote to memory of 3404	2068	GoldenSpy (8).exe	svmm.exe

C:\Users\Admin\AppData\Local\Temp\GoldenSpy (8).exe
"C:\Users\Admin\AppData\Local\Temp\GoldenSpy (8).exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -i
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Program Files (x86)\svm\svmm.exe
  "C:\Program Files (x86)\svm\svmm.exe" -i
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Program Files (x86)\svm\svmm.exe
  "C:\Program Files (x86)\svm\svmm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:3404

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
72c7004537cd158b0d80f07d65e71f6b

SHA1
8d07cbd90527568c90f6cb481a1a21853c8b2524

SHA256
f89e898ea40e10901c0c9f9100f269a227323ace1f7248293bfd57982dea1a67

SHA512
8514eac88531d66e629e1756e7ec5fc41547ddbe2af00dc5ae6c7193f47108864c0487968c1b70e7b4d029da59b2543a34f4a4b5ae7885166bc1c65657c3275f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseABB7.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseABB7.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseABB7.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseABB7.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
memory/880-136-0x0000000000000000-mapping.dmp

Download
memory/2068-132-0x0000000002410000-0x0000000002451000-memory.dmp

Filesize
260KB

Download
memory/3404-143-0x0000000000000000-mapping.dmp

Download
memory/4324-139-0x0000000000000000-mapping.dmp

Download
memory/4476-142-0x0000000000000000-mapping.dmp

Download