golddragon | ed0161f2a3337af5e27a84bea85fb4abe35654f5de22bcb8a503d537952b1e8a

General

Target

1d30dfa5d8f21d1465409b207115ded6.dll
Size

948KB
MD5

1d30dfa5d8f21d1465409b207115ded6
SHA1

942fd7b4ef1ccf7032a40acad975c7b5905c3c77
SHA256

ed0161f2a3337af5e27a84bea85fb4abe35654f5de22bcb8a503d537952b1e8a
SHA512

743b9e97336b07e3fde5511328488db212b1d7fac73152cef6253ddee1da3ee9764919eb2672caa0ffa258c79d37044f478afa6040d19ab822fc850e374fc646
SSDEEP

12288:Xk39Tm0nUOM1rlFZs4pw60ev9cdPw7lu73ATUUyLafJVtnMB8UltPh:CHUOM1hFZlZ9YPeu73AA6Jbne80

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage1 backdoor 3 IoCs

Detect GoldDragon backdoor Stage 1.

backdoor

Processes:

resource	yara_rule
behavioral2/memory/696-133-0x0000000010000000-0x00000000100F4000-memory.dmp	golddragon_stage1
behavioral2/memory/696-134-0x0000000010000000-0x00000000100F4000-memory.dmp	golddragon_stage1
behavioral2/memory/696-139-0x0000000010000000-0x00000000100F4000-memory.dmp	golddragon_stage1

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schedule = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\exts\\hmmapi.dll\" Run"	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 696 set thread context of 4396 696 rundll32.exe svchost.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2456 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

1464 ipconfig.exe
1324 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1852 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3556 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

4396 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3556 taskkill.exe
Token: SeDebugPrivilege 2456 tasklist.exe
Token: SeDebugPrivilege 1324 NETSTAT.EXE

description	pid	process	target process
PID 696 set thread context of 4396	696	rundll32.exe	svchost.exe

pid	process
2456	tasklist.exe

pid	process
1464	ipconfig.exe
1324	NETSTAT.EXE

pid	process
1852	systeminfo.exe

pid	process
3556	taskkill.exe

pid	process
4396	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	1324	NETSTAT.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exesvchost.execmd.exe

description	pid	process	target process
PID 4380 wrote to memory of 696	4380	rundll32.exe	rundll32.exe
PID 4380 wrote to memory of 696	4380	rundll32.exe	rundll32.exe
PID 4380 wrote to memory of 696	4380	rundll32.exe	rundll32.exe
PID 696 wrote to memory of 832	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 832	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 832	696	rundll32.exe	cmd.exe
PID 832 wrote to memory of 3556	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 3556	832	cmd.exe	taskkill.exe
PID 832 wrote to memory of 3556	832	cmd.exe	taskkill.exe
PID 696 wrote to memory of 5100	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 5100	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 5100	696	rundll32.exe	cmd.exe
PID 5100 wrote to memory of 1464	5100	cmd.exe	ipconfig.exe
PID 5100 wrote to memory of 1464	5100	cmd.exe	ipconfig.exe
PID 5100 wrote to memory of 1464	5100	cmd.exe	ipconfig.exe
PID 5100 wrote to memory of 3468	5100	cmd.exe	ARP.EXE
PID 5100 wrote to memory of 3468	5100	cmd.exe	ARP.EXE
PID 5100 wrote to memory of 3468	5100	cmd.exe	ARP.EXE
PID 696 wrote to memory of 4344	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 4344	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 4344	696	rundll32.exe	cmd.exe
PID 4344 wrote to memory of 1852	4344	cmd.exe	systeminfo.exe
PID 4344 wrote to memory of 1852	4344	cmd.exe	systeminfo.exe
PID 4344 wrote to memory of 1852	4344	cmd.exe	systeminfo.exe
PID 696 wrote to memory of 428	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 428	696	rundll32.exe	cmd.exe
PID 696 wrote to memory of 428	696	rundll32.exe	cmd.exe
PID 428 wrote to memory of 2456	428	cmd.exe	tasklist.exe
PID 428 wrote to memory of 2456	428	cmd.exe	tasklist.exe
PID 428 wrote to memory of 2456	428	cmd.exe	tasklist.exe
PID 696 wrote to memory of 4396	696	rundll32.exe	svchost.exe
PID 696 wrote to memory of 4396	696	rundll32.exe	svchost.exe
PID 696 wrote to memory of 4396	696	rundll32.exe	svchost.exe
PID 696 wrote to memory of 4396	696	rundll32.exe	svchost.exe
PID 696 wrote to memory of 4396	696	rundll32.exe	svchost.exe
PID 4396 wrote to memory of 884	4396	svchost.exe	cmd.exe
PID 4396 wrote to memory of 884	4396	svchost.exe	cmd.exe
PID 4396 wrote to memory of 884	4396	svchost.exe	cmd.exe
PID 884 wrote to memory of 1324	884	cmd.exe	NETSTAT.EXE
PID 884 wrote to memory of 1324	884	cmd.exe	NETSTAT.EXE
PID 884 wrote to memory of 1324	884	cmd.exe	NETSTAT.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d30dfa5d8f21d1465409b207115ded6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d30dfa5d8f21d1465409b207115ded6.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1464
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2456
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat -a >> "C:\Users\Admin\AppData\Roaming\wininit.db"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -a
        5⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Process Discovery

1

T1057

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
1KB

MD5
b7c4ba7016d48eb3d5abe1d0dbc657c6

SHA1
211c0eaad26c5a344588f8274d357f0d68518b0c

SHA256
4eb14ee88607b71c44bd1f2954e66a812430d714d1a69c78a9355e09869e9331

SHA512
ee5470e04c85e9e97e91cd2551035268b5b8139a6af0a89f5ffc204c0cdf11b866179afd6df030d9c7f4a2b258c1e0b0874e683394822b9ea32d47745bc86ad2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\pubs\PI_001.dat

Filesize
3KB

MD5
ade96cfcd404060e2e1202dbfdd2dbf3

SHA1
5b3cf3397f1fe9f6a80b42a46dd4cc8e6ca319c9

SHA256
52ea3585a49f51b152b9cd51e91fa1ae0e9bca3089fcbd3df589cee8a9fa3df4

SHA512
75f2ef9283c6e26794da136203cd78fb960acc7428a1a945d03de7435a4748f17495fa536fe041728ac1804022c560dbf2b22fc6d329ffa7ebca14e35fd917e6

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.db

Filesize
4KB

MD5
66bdba3977fa47fd7281e9f28af1a45a

SHA1
efeaa5bd8b434bd377c3dd34a4ca8101487aae0f

SHA256
78bb7acf1cb08e0578f3101522d792f70561ee973c2d7c2690e477188ae6c31a

SHA512
0a8fb02cfe1c1663b77ee9f4bdb10709d26582ec231dd2da7a70c7fcb73d010be0adcfd90c10b2398af938d83add1e3e349e80f61fe8785d40399f6e0260ceec

Download Submit
memory/696-133-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download
memory/696-134-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download
memory/696-139-0x0000000010000000-0x00000000100F4000-memory.dmp

Filesize
976KB

Download
memory/4396-147-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/4396-148-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/4396-149-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/4396-150-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download
memory/4396-151-0x0000000000390000-0x00000000003EA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads