goldenspy | dcad0978274cba7b52f1e8255fed30acd1b23d54946e8b63373ee775cca2eada

Analysis

max time kernel
232s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoldenSpy (6).exe
Size

366KB
MD5

b363e855f613233848a0a89216488bfb
SHA1

c897972dfd26a07591cabbeeeeeb1db18f2f21d4
SHA256

20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
SHA512

47d65f9d64e2d9fd5fe78731d990dadb6148240477dc20ef9305ae5d32345ef2d28e82a10d40e2139141bf0c25556eb633b0c7cf1139989ec0bf0a610d6efeda

Score

10^/10

goldenspy backdoor discovery suricata trojan

Malware Config

Signatures

GoldenSpy
Backdoor spotted in June 2020 being distributed with the Chinese "Intelligent Tax" software.
trojan backdoor goldenspy

GoldenSpy Payload 8 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svmm.exe	goldenspy_svm_payload
C:\Program Files (x86)\svm\svm.exe	goldenspy_svm_payload

suricata: ET MALWARE GoldenSpy Domain Observed
suricata: ET MALWARE GoldenSpy Domain Observed
suricata
Executes dropped EXE 6 IoCs

Processes:

svm.exesvmm.exesvm.exesvm.exesvmm.exesvmm.exe

pid process

2180 svm.exe
4416 svmm.exe
5092 svm.exe
5100 svm.exe
4608 svmm.exe
4076 svmm.exe
Loads dropped DLL 4 IoCs

Processes:

GoldenSpy (6).exe

pid process

3392 GoldenSpy (6).exe
3392 GoldenSpy (6).exe
3392 GoldenSpy (6).exe
3392 GoldenSpy (6).exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2180	svm.exe
4416	svmm.exe
5092	svm.exe
5100	svm.exe
4608	svmm.exe
4076	svmm.exe

Drops file in Program Files directory 2 IoCs

Processes:

GoldenSpy (6).exesvm.exe

description	ioc	process
File created	C:\Program Files (x86)\svm\svm.exe	GoldenSpy (6).exe
File opened for modification	C:\Program Files (x86)\svm\log\20220520-svm.log	svm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

Processes:

svm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svm.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

GoldenSpy (6).exesvmm.exesvm.exe

pid	process
3392	GoldenSpy (6).exe
3392	GoldenSpy (6).exe
3392	GoldenSpy (6).exe
3392	GoldenSpy (6).exe
4076	svmm.exe
4076	svmm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe
4076	svmm.exe
4076	svmm.exe
5100	svm.exe
5100	svm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

GoldenSpy (6).exe

description	pid	process	target process
PID 3392 wrote to memory of 2180	3392	GoldenSpy (6).exe	svm.exe
PID 3392 wrote to memory of 2180	3392	GoldenSpy (6).exe	svm.exe
PID 3392 wrote to memory of 2180	3392	GoldenSpy (6).exe	svm.exe
PID 3392 wrote to memory of 4416	3392	GoldenSpy (6).exe	svmm.exe
PID 3392 wrote to memory of 4416	3392	GoldenSpy (6).exe	svmm.exe
PID 3392 wrote to memory of 4416	3392	GoldenSpy (6).exe	svmm.exe
PID 3392 wrote to memory of 5092	3392	GoldenSpy (6).exe	svm.exe
PID 3392 wrote to memory of 5092	3392	GoldenSpy (6).exe	svm.exe
PID 3392 wrote to memory of 5092	3392	GoldenSpy (6).exe	svm.exe
PID 3392 wrote to memory of 4608	3392	GoldenSpy (6).exe	svmm.exe
PID 3392 wrote to memory of 4608	3392	GoldenSpy (6).exe	svmm.exe
PID 3392 wrote to memory of 4608	3392	GoldenSpy (6).exe	svmm.exe

C:\Users\Admin\AppData\Local\Temp\GoldenSpy (6).exe
"C:\Users\Admin\AppData\Local\Temp\GoldenSpy (6).exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Program Files (x86)\svm\svmm.exe
  "C:\Program Files (x86)\svm\svmm.exe" -i
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Program Files (x86)\svm\svm.exe
  "C:\Program Files (x86)\svm\svm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Program Files (x86)\svm\svmm.exe
  "C:\Program Files (x86)\svm\svmm.exe" -start
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Program Files (x86)\svm\svm.exe
"C:\Program Files (x86)\svm\svm.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Program Files (x86)\svm\svmm.exe
"C:\Program Files (x86)\svm\svmm.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Program Files (x86)\svm\svmm.exe

Filesize
504KB

MD5
cf640636f3d85586607c20813884ff4a

SHA1
484d2e4d31a0c0a5ce5a2b2525677baa277c8a2c

SHA256
d41081969a212dec0ca623d848fb51907d8cdb1cb7bd86e1354e3041052858fb

SHA512
a6d18abdac3742613786b36e96130deee771a80cdcde200ccdab71546219094e8f088f6a05125d5f0056d9689265296783a59d49a88bc89bdd64073590f7f4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk44E5.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk44E5.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk44E5.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk44E5.tmp\processwork.dll

Filesize
231KB

MD5
0a4fa7a9ba969a805eb0603c7cfe3378

SHA1
0f018a8d5b42c6ce8bf34b4a6422861c327af88c

SHA256
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c

SHA512
e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178

Download Submit
memory/2180-136-0x0000000000000000-mapping.dmp

Download
memory/3392-132-0x0000000003050000-0x0000000003091000-memory.dmp

Filesize
260KB

Download
memory/4416-139-0x0000000000000000-mapping.dmp

Download
memory/4608-144-0x0000000000000000-mapping.dmp

Download
memory/5092-142-0x0000000000000000-mapping.dmp

Download