golddragon | fa85ed7118f1f8ac656a03958ac7b973bb747a6e8f86561d071ad05255f4e9f0

General

Target

1.dll
Size

805KB
MD5

25c5240491accd78c6ee10efb1b73984
SHA1

6072927d9641237c609dd9b604e1d0180a908f3c
SHA256

fa85ed7118f1f8ac656a03958ac7b973bb747a6e8f86561d071ad05255f4e9f0
SHA512

d967b39d07a79a255c2f4ebd71e3ba0e2748c50b70bdfcf88486837e11cdb44919945dd072e9f5537e3d6818bef28d9e6799ff227909bcbdabd6639314142eb0

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage1 backdoor 4 IoCs

Detect GoldDragon backdoor Stage 1.

backdoor

Processes:

resource	yara_rule
behavioral1/memory/1084-56-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1
behavioral1/memory/1084-62-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1
behavioral1/memory/1084-63-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1
behavioral1/memory/1084-72-0x0000000010000000-0x00000000101E7000-memory.dmp	golddragon_stage1

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\schedule = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\exts\\hancom.dll\" Run"	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

1084 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1084 set thread context of 908 1084 rundll32.exe svchost.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1860 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

1840 ipconfig.exe
1764 NETSTAT.EXE
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

1360 systeminfo.exe
840 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1296 taskkill.exe
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1860 regedit.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regedit.exe

pid process

1860 regedit.exe

pid	process
1084	rundll32.exe

description	pid	process	target process
PID 1084 set thread context of 908	1084	rundll32.exe	svchost.exe

pid	process
1860	tasklist.exe

pid	process
1840	ipconfig.exe
1764	NETSTAT.EXE

pid	process
1360	systeminfo.exe
840	systeminfo.exe

pid	process
1296	taskkill.exe

pid	process
1860	regedit.exe

pid	process
1860	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

taskkill.exetasklist.exeNETSTAT.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeDebugPrivilege	1764	NETSTAT.EXE
Token: 33	1268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1268	AUDIODG.EXE
Token: 33	1268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1268	AUDIODG.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1084	1596	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 988	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 988	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 988	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 988	1084	rundll32.exe	cmd.exe
PID 988 wrote to memory of 1296	988	cmd.exe	taskkill.exe
PID 988 wrote to memory of 1296	988	cmd.exe	taskkill.exe
PID 988 wrote to memory of 1296	988	cmd.exe	taskkill.exe
PID 988 wrote to memory of 1296	988	cmd.exe	taskkill.exe
PID 648 wrote to memory of 1360	648	cmd.exe	systeminfo.exe
PID 648 wrote to memory of 1360	648	cmd.exe	systeminfo.exe
PID 648 wrote to memory of 1360	648	cmd.exe	systeminfo.exe
PID 1084 wrote to memory of 476	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 476	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 476	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 476	1084	rundll32.exe	cmd.exe
PID 476 wrote to memory of 1840	476	cmd.exe	ipconfig.exe
PID 476 wrote to memory of 1840	476	cmd.exe	ipconfig.exe
PID 476 wrote to memory of 1840	476	cmd.exe	ipconfig.exe
PID 476 wrote to memory of 1840	476	cmd.exe	ipconfig.exe
PID 476 wrote to memory of 904	476	cmd.exe	ARP.EXE
PID 476 wrote to memory of 904	476	cmd.exe	ARP.EXE
PID 476 wrote to memory of 904	476	cmd.exe	ARP.EXE
PID 476 wrote to memory of 904	476	cmd.exe	ARP.EXE
PID 1084 wrote to memory of 848	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 848	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 848	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 848	1084	rundll32.exe	cmd.exe
PID 848 wrote to memory of 840	848	cmd.exe	systeminfo.exe
PID 848 wrote to memory of 840	848	cmd.exe	systeminfo.exe
PID 848 wrote to memory of 840	848	cmd.exe	systeminfo.exe
PID 848 wrote to memory of 840	848	cmd.exe	systeminfo.exe
PID 1084 wrote to memory of 1452	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 1452	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 1452	1084	rundll32.exe	cmd.exe
PID 1084 wrote to memory of 1452	1084	rundll32.exe	cmd.exe
PID 1452 wrote to memory of 1860	1452	cmd.exe	tasklist.exe
PID 1452 wrote to memory of 1860	1452	cmd.exe	tasklist.exe
PID 1452 wrote to memory of 1860	1452	cmd.exe	tasklist.exe
PID 1452 wrote to memory of 1860	1452	cmd.exe	tasklist.exe
PID 1084 wrote to memory of 908	1084	rundll32.exe	svchost.exe
PID 1084 wrote to memory of 908	1084	rundll32.exe	svchost.exe
PID 1084 wrote to memory of 908	1084	rundll32.exe	svchost.exe
PID 1084 wrote to memory of 908	1084	rundll32.exe	svchost.exe
PID 1084 wrote to memory of 908	1084	rundll32.exe	svchost.exe
PID 1084 wrote to memory of 908	1084	rundll32.exe	svchost.exe
PID 2020 wrote to memory of 1764	2020	cmd.exe	NETSTAT.EXE
PID 2020 wrote to memory of 1764	2020	cmd.exe	NETSTAT.EXE
PID 2020 wrote to memory of 1764	2020	cmd.exe	NETSTAT.EXE
PID 2020 wrote to memory of 1764	2020	cmd.exe	NETSTAT.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1840
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:904
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1860
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1208
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1360

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1672

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1660

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:836

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1328

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Process Discovery

1

T1057

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
308336e7f515478969b24c13ded11ede

SHA1
8fb0cf42b77dbbef224a1e5fc38abc2486320775

SHA256
889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9

SHA512
61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd96a3cf1a690768e1ab0b4f01de3f6f

SHA1
6098266e0e8989b294606c34ad9f2619154348b6

SHA256
3876a5ec6e68ce61277e0bed89c21373b51312c26b1eeeedcabe93585509e9ae

SHA512
86877325bef493e73c89ca5a991020a3b90b9b4714bf085a3808da7aee566a9cc8c2e3aa7a74e58d05314f69465aa339c526f9b4b4c156d4ffbf26e37e4347e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
1KB

MD5
09494ee774954a12b242b9c615adab57

SHA1
7158fc6bf75b92cd37e418a88654e0f385eb3481

SHA256
c4e19be9528d9ddd6b55c402a8a2dd48246ecb84a07371b000e1b4d277036f57

SHA512
0fc5fcda270682c06a13695c39f10a4fbc47abc0fc1fc5743c98305b817034695af93846f6b9cf0b37a305405082d4bcb79f3f577b0705e9669a311433cf3337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
3KB

MD5
7069f9b2a02f79a3f89459e78b8b8c05

SHA1
9c7b7b99d6982ba5fb7528fb6a80b33afe8cc965

SHA256
3c3efee714988e65a03fdefb839ee44537a7e7328288e82ab1c94bf241334895

SHA512
7ef3f0242f96b88b56f162e1f2f364f46e584feafb49ceca5326bff791970b436ec9b6f87b2dae7a3f1e95fb6a5fc5c5927e148854ad1b834d9f0641d4b8c90d

Download Submit
memory/476-65-0x0000000000000000-mapping.dmp

Download
memory/836-85-0x0000000072851000-0x0000000072853000-memory.dmp

Filesize
8KB

Download
memory/840-71-0x0000000000000000-mapping.dmp

Download
memory/848-69-0x0000000000000000-mapping.dmp

Download
memory/904-68-0x0000000000000000-mapping.dmp

Download
memory/908-76-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/908-78-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/908-80-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/908-79-0x00000000000CD527-mapping.dmp

Download
memory/988-60-0x0000000000000000-mapping.dmp

Download
memory/1084-54-0x0000000000000000-mapping.dmp

Download
memory/1084-72-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-62-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-63-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-56-0x0000000010000000-0x00000000101E7000-memory.dmp

Filesize
1.9MB

Download
memory/1084-55-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1296-61-0x0000000000000000-mapping.dmp

Download
memory/1360-64-0x0000000000000000-mapping.dmp

Download
memory/1452-73-0x0000000000000000-mapping.dmp

Download
memory/1672-82-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1764-81-0x0000000000000000-mapping.dmp

Download
memory/1840-66-0x0000000000000000-mapping.dmp

Download
memory/1860-75-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads