Overview

overview

10

Static

static

1

0cc0aa5877...72.exe

windows7-x64

10

0cc0aa5877...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2023 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cc0aa5877cec9109b7a5a0e3a250c72.exe

  • Size

    513KB

  • MD5

    0cc0aa5877cec9109b7a5a0e3a250c72

  • SHA1

    1d49d462a11a00d8ac9608e49f055961bf79980d

  • SHA256

    1324acd1f720055e7941b39949116dfe72ce2e7792e70128f69e228eb48b0821

  • SHA512

    642b0d06755c78658c308167cf9e61a0e42bb792c61306c6f6976c5ebc51cbce1f795b534e4767e8106edc68bd58f16943c7acc0846cf1c67161c67c28746637

  • SSDEEP

    12288:B/P+NYgHizBSWMJ/17sM57k0+iQkB86PGjg:BO6gH8UJ/mMWkBCg

Score
10/10
golddragonbackdoorpersistencespywarestealer

Malware Config

Signatures

  • GoldDragon

    GoldDragon is a second-stage backdoor attributed to Kimsuky.

    backdoorgolddragon
  • GoldDragon 2021 Stage1 backdoor 2 IoCs

    Detect GoldDragon backdoor Stage 1.

    backdoor
  • GoldDragon 2021 Stage2 infostealer 5 IoCs

    Detect GoldDragon InfoStealer Stage 2.

    stealer
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cc0aa5877cec9109b7a5a0e3a250c72.exe
    "C:\Users\Admin\AppData\Local\Temp\0cc0aa5877cec9109b7a5a0e3a250c72.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Roaming\Cleaner~.tmp" Run
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im daumcleaner.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im daumcleaner.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:544
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:4260
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
            PID:1832
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:460
          • C:\Windows\SysWOW64\systeminfo.exe
            systeminfo
            4⤵
            • Gathers system information
            PID:4916
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:412
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4496
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:4608

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Cleaner~.tmp
      Filesize

      105.3MB

      MD5

      62c98a641aba1cb3cf79e575b2c981fd

      SHA1

      d4cebe534c1a195afb58e8cf0927c496e9cb5847

      SHA256

      11202d7879b31a257eb04ba49d93302b14d4089bac62d9669945c3e5a3b142a1

      SHA512

      5b64c74459861cef876519d7667fa4defd18254f8db33a58ec52630e1fd631a5d70bd23b96ec95ec0468e5bd88ed73df16daaf03bf1e6b0a2d7b4a69a8d42341

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Cleaner~.tmp
      Filesize

      105.3MB

      MD5

      62c98a641aba1cb3cf79e575b2c981fd

      SHA1

      d4cebe534c1a195afb58e8cf0927c496e9cb5847

      SHA256

      11202d7879b31a257eb04ba49d93302b14d4089bac62d9669945c3e5a3b142a1

      SHA512

      5b64c74459861cef876519d7667fa4defd18254f8db33a58ec52630e1fd631a5d70bd23b96ec95ec0468e5bd88ed73df16daaf03bf1e6b0a2d7b4a69a8d42341

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat
      Filesize

      1KB

      MD5

      54ebef922125183d792a0ad055953cae

      SHA1

      7d2c122d8690f7162fe450ffdf1b1031f559d9ed

      SHA256

      7d889d6d07c054abd0dae3bef79fe609830ddfb010a6e6729ea558b3abcf90fb

      SHA512

      7a94ca60c05a752ff80bc08e1b6fb71a2661ec94d943fc6940bce997470cf9acf4207d3488efc1a02425d5a79ff40bc2e53512cba9433bd253b3c9c390c16b3d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat
      Filesize

      3KB

      MD5

      a62cdc04ef7a22ba3d51541680cb112d

      SHA1

      aab3979a7ce4aa6a5d10570ed22c6308c82bd115

      SHA256

      39cf058edd39e8592f2c484e9e524b4972abdbcf63a0bee051f1e938970ab540

      SHA512

      df250daaf4bf3251e8c7623875a2c72a0a7493054e0bbbfe8b93d7bec79bdab7b34e9ea8524eebb1394eb0a704b6d10ff8521db582861105431f69c5994fc182

      Download Submit

    • memory/4608-149-0x0000000000610000-0x0000000000669000-memory.dmp

      Filesize

      356KB

      Download

    • memory/4608-150-0x0000000000610000-0x0000000000669000-memory.dmp

      Filesize

      356KB

      Download

    • memory/4608-151-0x0000000000610000-0x0000000000669000-memory.dmp

      Filesize

      356KB

      Download

    • memory/4608-152-0x0000000000610000-0x0000000000669000-memory.dmp

      Filesize

      356KB

      Download

    • memory/4608-153-0x0000000000610000-0x0000000000669000-memory.dmp

      Filesize

      356KB

      Download