Overview

overview

10

Static

static

10

1d30dfa5d8...d6.dll

windows7-x64

10

1d30dfa5d8...d6.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2023 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d30dfa5d8f21d1465409b207115ded6.dll

  • Size

    948KB

  • MD5

    1d30dfa5d8f21d1465409b207115ded6

  • SHA1

    942fd7b4ef1ccf7032a40acad975c7b5905c3c77

  • SHA256

    ed0161f2a3337af5e27a84bea85fb4abe35654f5de22bcb8a503d537952b1e8a

  • SHA512

    743b9e97336b07e3fde5511328488db212b1d7fac73152cef6253ddee1da3ee9764919eb2672caa0ffa258c79d37044f478afa6040d19ab822fc850e374fc646

  • SSDEEP

    12288:Xk39Tm0nUOM1rlFZs4pw60ev9cdPw7lu73ATUUyLafJVtnMB8UltPh:CHUOM1hFZlZ9YPeu73AA6Jbne80

Score
10/10
golddragonbackdoorpersistencespywarestealer

Malware Config

Signatures

  • GoldDragon

    GoldDragon is a second-stage backdoor attributed to Kimsuky.

    backdoorgolddragon
  • GoldDragon 2021 Stage1 backdoor 3 IoCs

    Detect GoldDragon backdoor Stage 1.

    backdoor
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d30dfa5d8f21d1465409b207115ded6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d30dfa5d8f21d1465409b207115ded6.dll,#1
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im daumcleaner.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im daumcleaner.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1488
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:1428
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
            PID:1356
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Windows\SysWOW64\systeminfo.exe
            systeminfo
            4⤵
            • Gathers system information
            PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1256
            • C:\Windows\SysWOW64\NETSTAT.EXE
              netstat -a
              5⤵
              • Gathers network information
              • Suspicious use of AdjustPrivilegeToken
              PID:1128

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat
      Filesize

      1KB

      MD5

      9e8988596c530280bab24e170d906529

      SHA1

      924d438342d718246bc81d6f8bbc7ca7e2e77e91

      SHA256

      3faf98b0ec97f9e85921e51c7779a8456d47ec8581a715dddce0dc1819a68c34

      SHA512

      2796b528d1c29824bc5bfbef6d79ceebe61496cede6e9dd04fa6e3214a97804fd84d2f16be77d78d970279182cff4fa9f60b28259ddaf5d8d9544ed968e89e12

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat
      Filesize

      3KB

      MD5

      ba1516f7bf1c5c3f0de8fed24835f6f2

      SHA1

      cb68d4e16428894edaa7cd9d359135002a06efdc

      SHA256

      dd1532028055fd4da1e4cd1ea9640b80c0bb1b8c322a6dcb2714203b481188e9

      SHA512

      2087dfbeb2825436d8ff65f85f39a77af29684eeb6fa79d2de1cae7cb753c22fb52f4971899ce85b52f7abc640952d755998b832a96a4f81ef714c056993accc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wininit.db
      Filesize

      2KB

      MD5

      ef797e5b659816692452dff20b16da6e

      SHA1

      79ce7d202c7fec4ef2b3de3ad21478f9980a602f

      SHA256

      1323b29c1839fa2811bb24e97d5fd114d860565b5e611633f420ea2aebd76d29

      SHA512

      4c51a720afc1d673d92a570f42a77fbfa8cc1cc265e344c44e442a3d7ab71333b94194aa6923c8c0c5df90b90b8fdd5a771446d83961cf8fc61cbfd7faa263bb

      Download Submit

    • memory/540-70-0x0000000000080000-0x00000000000DA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/540-68-0x0000000000080000-0x00000000000DA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/540-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/540-72-0x0000000000080000-0x00000000000DA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/540-73-0x0000000000080000-0x00000000000DA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/540-74-0x0000000000080000-0x00000000000DA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1996-54-0x0000000010000000-0x00000000100F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/1996-58-0x0000000010000000-0x00000000100F4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/1996-67-0x0000000010000000-0x00000000100F4000-memory.dmp

      Filesize

      976KB

      Download