golddragon | 873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-04-2023 01:49

Target

2c530adb841114366ce6177ce964a5e6.dll
Size

223KB
MD5

2c530adb841114366ce6177ce964a5e6
SHA1

5b69e3e5f4f49cf8b635a57a8c92e17a4f130d50
SHA256

873b8fb97b4b0c6d7992f6af15653295788526def41f337c651dc64e8e4aeebd
SHA512

002ba1e7b6a1a250678bfe63ae8de106606bc540ab10d69abdb0b4f87e72c79f91cc7890f6e649226cef9d2fec3f5c5176c254e726ce6eaf3dc9d73b12408c65
SSDEEP

6144:8L7OMNsdhZlmRDbwE0GCT7rxrvxWYcJM/x:8+M2djEJQr1Y7

Score

10^/10

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 1124	1300	rundll32.exe	29

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1344 wrote to memory of 1300	1344	rundll32.exe	28
PID 1300 wrote to memory of 1124	1300	rundll32.exe	29
PID 1300 wrote to memory of 1124	1300	rundll32.exe	29
PID 1300 wrote to memory of 1124	1300	rundll32.exe	29
PID 1300 wrote to memory of 1124	1300	rundll32.exe	29
PID 1300 wrote to memory of 1124	1300	rundll32.exe	29
PID 1300 wrote to memory of 1124	1300	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c530adb841114366ce6177ce964a5e6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c530adb841114366ce6177ce964a5e6.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1124

memory/1124-54-0x0000000000080000-0x00000000000A4000-memory.dmp

Filesize
144KB

Download