golddragon | ed0161f2a3337af5e27a84bea85fb4abe35654f5de22bcb8a503d537952b1e8a

General

Target

1d30dfa5d8f21d1465409b207115ded6.dll
Size

948KB
MD5

1d30dfa5d8f21d1465409b207115ded6
SHA1

942fd7b4ef1ccf7032a40acad975c7b5905c3c77
SHA256

ed0161f2a3337af5e27a84bea85fb4abe35654f5de22bcb8a503d537952b1e8a
SHA512

743b9e97336b07e3fde5511328488db212b1d7fac73152cef6253ddee1da3ee9764919eb2672caa0ffa258c79d37044f478afa6040d19ab822fc850e374fc646
SSDEEP

12288:Xk39Tm0nUOM1rlFZs4pw60ev9cdPw7lu73ATUUyLafJVtnMB8UltPh:CHUOM1hFZlZ9YPeu73AA6Jbne80

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage1 backdoor 3 IoCs

Detect GoldDragon backdoor Stage 1.

backdoor

Processes:

resource	yara_rule
behavioral1/memory/1996-54-0x0000000010000000-0x00000000100F4000-memory.dmp	golddragon_stage1
behavioral1/memory/1996-58-0x0000000010000000-0x00000000100F4000-memory.dmp	golddragon_stage1
behavioral1/memory/1996-67-0x0000000010000000-0x00000000100F4000-memory.dmp	golddragon_stage1

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\schedule = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\exts\\hmmapi.dll\" Run"	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1996 set thread context of 540 1996 rundll32.exe svchost.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1508 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

1128 NETSTAT.EXE
1428 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1544 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1488 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

540 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1488 taskkill.exe
Token: SeDebugPrivilege 1508 tasklist.exe
Token: SeDebugPrivilege 1128 NETSTAT.EXE

description	pid	process	target process
PID 1996 set thread context of 540	1996	rundll32.exe	svchost.exe

pid	process
1508	tasklist.exe

pid	process
1128	NETSTAT.EXE
1428	ipconfig.exe

pid	process
1544	systeminfo.exe

pid	process
1488	taskkill.exe

pid	process
540	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1508	tasklist.exe
Token: SeDebugPrivilege	1128	NETSTAT.EXE

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1996	2008	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1784	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1784	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1784	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1784	1996	rundll32.exe	cmd.exe
PID 1784 wrote to memory of 1488	1784	cmd.exe	taskkill.exe
PID 1784 wrote to memory of 1488	1784	cmd.exe	taskkill.exe
PID 1784 wrote to memory of 1488	1784	cmd.exe	taskkill.exe
PID 1784 wrote to memory of 1488	1784	cmd.exe	taskkill.exe
PID 1996 wrote to memory of 1624	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1624	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1624	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1624	1996	rundll32.exe	cmd.exe
PID 1624 wrote to memory of 1428	1624	cmd.exe	ipconfig.exe
PID 1624 wrote to memory of 1428	1624	cmd.exe	ipconfig.exe
PID 1624 wrote to memory of 1428	1624	cmd.exe	ipconfig.exe
PID 1624 wrote to memory of 1428	1624	cmd.exe	ipconfig.exe
PID 1624 wrote to memory of 1356	1624	cmd.exe	ARP.EXE
PID 1624 wrote to memory of 1356	1624	cmd.exe	ARP.EXE
PID 1624 wrote to memory of 1356	1624	cmd.exe	ARP.EXE
PID 1624 wrote to memory of 1356	1624	cmd.exe	ARP.EXE
PID 1996 wrote to memory of 1644	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1644	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1644	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 1644	1996	rundll32.exe	cmd.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	systeminfo.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	systeminfo.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	systeminfo.exe
PID 1644 wrote to memory of 1544	1644	cmd.exe	systeminfo.exe
PID 1996 wrote to memory of 316	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 316	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 316	1996	rundll32.exe	cmd.exe
PID 1996 wrote to memory of 316	1996	rundll32.exe	cmd.exe
PID 316 wrote to memory of 1508	316	cmd.exe	tasklist.exe
PID 316 wrote to memory of 1508	316	cmd.exe	tasklist.exe
PID 316 wrote to memory of 1508	316	cmd.exe	tasklist.exe
PID 316 wrote to memory of 1508	316	cmd.exe	tasklist.exe
PID 1996 wrote to memory of 540	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 540	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 540	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 540	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 540	1996	rundll32.exe	svchost.exe
PID 1996 wrote to memory of 540	1996	rundll32.exe	svchost.exe
PID 540 wrote to memory of 1256	540	svchost.exe	cmd.exe
PID 540 wrote to memory of 1256	540	svchost.exe	cmd.exe
PID 540 wrote to memory of 1256	540	svchost.exe	cmd.exe
PID 540 wrote to memory of 1256	540	svchost.exe	cmd.exe
PID 1256 wrote to memory of 1128	1256	cmd.exe	NETSTAT.EXE
PID 1256 wrote to memory of 1128	1256	cmd.exe	NETSTAT.EXE
PID 1256 wrote to memory of 1128	1256	cmd.exe	NETSTAT.EXE
PID 1256 wrote to memory of 1128	1256	cmd.exe	NETSTAT.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d30dfa5d8f21d1465409b207115ded6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d30dfa5d8f21d1465409b207115ded6.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1428
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1508
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Process Discovery

1

T1057

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
1KB

MD5
9e8988596c530280bab24e170d906529

SHA1
924d438342d718246bc81d6f8bbc7ca7e2e77e91

SHA256
3faf98b0ec97f9e85921e51c7779a8456d47ec8581a715dddce0dc1819a68c34

SHA512
2796b528d1c29824bc5bfbef6d79ceebe61496cede6e9dd04fa6e3214a97804fd84d2f16be77d78d970279182cff4fa9f60b28259ddaf5d8d9544ed968e89e12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
3KB

MD5
ba1516f7bf1c5c3f0de8fed24835f6f2

SHA1
cb68d4e16428894edaa7cd9d359135002a06efdc

SHA256
dd1532028055fd4da1e4cd1ea9640b80c0bb1b8c322a6dcb2714203b481188e9

SHA512
2087dfbeb2825436d8ff65f85f39a77af29684eeb6fa79d2de1cae7cb753c22fb52f4971899ce85b52f7abc640952d755998b832a96a4f81ef714c056993accc

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.db

Filesize
2KB

MD5
ef797e5b659816692452dff20b16da6e

SHA1
79ce7d202c7fec4ef2b3de3ad21478f9980a602f

SHA256
1323b29c1839fa2811bb24e97d5fd114d860565b5e611633f420ea2aebd76d29

SHA512
4c51a720afc1d673d92a570f42a77fbfa8cc1cc265e344c44e442a3d7ab71333b94194aa6923c8c0c5df90b90b8fdd5a771446d83961cf8fc61cbfd7faa263bb

Download Submit
memory/540-70-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/540-68-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/540-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/540-72-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/540-73-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/540-74-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/1996-54-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download
memory/1996-58-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download
memory/1996-67-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads