golddragon | fa85ed7118f1f8ac656a03958ac7b973bb747a6e8f86561d071ad05255f4e9f0

Target

1.dll
Size

805KB
MD5

25c5240491accd78c6ee10efb1b73984
SHA1

6072927d9641237c609dd9b604e1d0180a908f3c
SHA256

fa85ed7118f1f8ac656a03958ac7b973bb747a6e8f86561d071ad05255f4e9f0
SHA512

d967b39d07a79a255c2f4ebd71e3ba0e2748c50b70bdfcf88486837e11cdb44919945dd072e9f5537e3d6818bef28d9e6799ff227909bcbdabd6639314142eb0

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage1 backdoor 4 IoCs

Detect GoldDragon backdoor Stage 1.

backdoor

resource	yara_rule
behavioral1/memory/1084-56-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1
behavioral1/memory/1084-62-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1
behavioral1/memory/1084-63-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1
behavioral1/memory/1084-72-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\schedule = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\exts\\hancom.dll\" Run"	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1084	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 908	1084	rundll32.exe	48

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1860	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1840	ipconfig.exe
1764	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1360	systeminfo.exe
840	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1296	taskkill.exe

Runs regedit.exe 1 IoCs

pid	Process
1860	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1860	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeDebugPrivilege	1764	NETSTAT.EXE
Token: 33	1268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1268	AUDIODG.EXE
Token: 33	1268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1268	AUDIODG.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1596 wrote to memory of 1084	1596	rundll32.exe	28
PID 1084 wrote to memory of 988	1084	rundll32.exe	29
PID 1084 wrote to memory of 988	1084	rundll32.exe	29
PID 1084 wrote to memory of 988	1084	rundll32.exe	29
PID 1084 wrote to memory of 988	1084	rundll32.exe	29
PID 988 wrote to memory of 1296	988	cmd.exe	31
PID 988 wrote to memory of 1296	988	cmd.exe	31
PID 988 wrote to memory of 1296	988	cmd.exe	31
PID 988 wrote to memory of 1296	988	cmd.exe	31
PID 648 wrote to memory of 1360	648	cmd.exe	35
PID 648 wrote to memory of 1360	648	cmd.exe	35
PID 648 wrote to memory of 1360	648	cmd.exe	35
PID 1084 wrote to memory of 476	1084	rundll32.exe	37
PID 1084 wrote to memory of 476	1084	rundll32.exe	37
PID 1084 wrote to memory of 476	1084	rundll32.exe	37
PID 1084 wrote to memory of 476	1084	rundll32.exe	37
PID 476 wrote to memory of 1840	476	cmd.exe	39
PID 476 wrote to memory of 1840	476	cmd.exe	39
PID 476 wrote to memory of 1840	476	cmd.exe	39
PID 476 wrote to memory of 1840	476	cmd.exe	39
PID 476 wrote to memory of 904	476	cmd.exe	40
PID 476 wrote to memory of 904	476	cmd.exe	40
PID 476 wrote to memory of 904	476	cmd.exe	40
PID 476 wrote to memory of 904	476	cmd.exe	40
PID 1084 wrote to memory of 848	1084	rundll32.exe	41
PID 1084 wrote to memory of 848	1084	rundll32.exe	41
PID 1084 wrote to memory of 848	1084	rundll32.exe	41
PID 1084 wrote to memory of 848	1084	rundll32.exe	41
PID 848 wrote to memory of 840	848	cmd.exe	43
PID 848 wrote to memory of 840	848	cmd.exe	43
PID 848 wrote to memory of 840	848	cmd.exe	43
PID 848 wrote to memory of 840	848	cmd.exe	43
PID 1084 wrote to memory of 1452	1084	rundll32.exe	45
PID 1084 wrote to memory of 1452	1084	rundll32.exe	45
PID 1084 wrote to memory of 1452	1084	rundll32.exe	45
PID 1084 wrote to memory of 1452	1084	rundll32.exe	45
PID 1452 wrote to memory of 1860	1452	cmd.exe	47
PID 1452 wrote to memory of 1860	1452	cmd.exe	47
PID 1452 wrote to memory of 1860	1452	cmd.exe	47
PID 1452 wrote to memory of 1860	1452	cmd.exe	47
PID 1084 wrote to memory of 908	1084	rundll32.exe	48
PID 1084 wrote to memory of 908	1084	rundll32.exe	48
PID 1084 wrote to memory of 908	1084	rundll32.exe	48
PID 1084 wrote to memory of 908	1084	rundll32.exe	48
PID 1084 wrote to memory of 908	1084	rundll32.exe	48
PID 1084 wrote to memory of 908	1084	rundll32.exe	48
PID 2020 wrote to memory of 1764	2020	cmd.exe	51
PID 2020 wrote to memory of 1764	2020	cmd.exe	51
PID 2020 wrote to memory of 1764	2020	cmd.exe	51
PID 2020 wrote to memory of 1764	2020	cmd.exe	51

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1840
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1860
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1208
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1360

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1672

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1660

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:836

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd96a3cf1a690768e1ab0b4f01de3f6f

SHA1
6098266e0e8989b294606c34ad9f2619154348b6

SHA256
3876a5ec6e68ce61277e0bed89c21373b51312c26b1eeeedcabe93585509e9ae

SHA512
86877325bef493e73c89ca5a991020a3b90b9b4714bf085a3808da7aee566a9cc8c2e3aa7a74e58d05314f69465aa339c526f9b4b4c156d4ffbf26e37e4347e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
1KB

MD5
09494ee774954a12b242b9c615adab57

SHA1
7158fc6bf75b92cd37e418a88654e0f385eb3481

SHA256
c4e19be9528d9ddd6b55c402a8a2dd48246ecb84a07371b000e1b4d277036f57

SHA512
0fc5fcda270682c06a13695c39f10a4fbc47abc0fc1fc5743c98305b817034695af93846f6b9cf0b37a305405082d4bcb79f3f577b0705e9669a311433cf3337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
3KB

MD5
7069f9b2a02f79a3f89459e78b8b8c05

SHA1
9c7b7b99d6982ba5fb7528fb6a80b33afe8cc965

SHA256
3c3efee714988e65a03fdefb839ee44537a7e7328288e82ab1c94bf241334895

SHA512
7ef3f0242f96b88b56f162e1f2f364f46e584feafb49ceca5326bff791970b436ec9b6f87b2dae7a3f1e95fb6a5fc5c5927e148854ad1b834d9f0641d4b8c90d

Download Submit
memory/836-85-0x0000000072851000-0x0000000072853000-memory.dmp

Filesize
8KB

Download
memory/908-76-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/908-78-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/908-80-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/1084-72-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-62-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-63-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-56-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-55-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1672-82-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads