golddragon | 63b4bd01f80d43576c279adf69a5582129e81cc4adbd03675909581643765ea8

Analysis

max time kernel
88s
max time network
78s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-04-2023 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c066b81c4b8b0703f81f8bc6fb432992.dll
Size

272KB
MD5

c066b81c4b8b0703f81f8bc6fb432992
SHA1

2508f5ff0c28356c0c3f8e6cae7b750d53495bca
SHA256

63b4bd01f80d43576c279adf69a5582129e81cc4adbd03675909581643765ea8
SHA512

b0b847f1c0fe52b0c32af9a0708ac0c6584cb151d6640dbed61d7842bc7cfa70e7aca5e2d324677095ad416fe9fd14f73056ff01620f0f3919cf4d3c82bb6bc2
SSDEEP

6144:SrrUrTgMun07ApvXb3K9W9RqL6io/O64azPFyR1I6nGBvY:SrgPpa07Apj3+W9RqL4/hbFyIfY

Score

10^/10

golddragon backdoor vmprotect

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2000	rundll32.exe
5	2000	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2036	desktop.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	rundll32.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2000-54-0x0000000074F60000-0x0000000075064000-memory.dmp	vmprotect
behavioral1/memory/2000-64-0x0000000074F60000-0x0000000075064000-memory.dmp	vmprotect
behavioral1/memory/2000-72-0x0000000074F60000-0x0000000075064000-memory.dmp	vmprotect
behavioral1/memory/2000-80-0x0000000074F60000-0x0000000075064000-memory.dmp	vmprotect

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1756	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1996	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	rundll32.exe
2036	desktop.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	tasklist.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 1712 wrote to memory of 2000	1712	rundll32.exe	28
PID 2000 wrote to memory of 2044	2000	rundll32.exe	29
PID 2000 wrote to memory of 2044	2000	rundll32.exe	29
PID 2000 wrote to memory of 2044	2000	rundll32.exe	29
PID 2000 wrote to memory of 2044	2000	rundll32.exe	29
PID 2044 wrote to memory of 1996	2044	cmd.exe	31
PID 2044 wrote to memory of 1996	2044	cmd.exe	31
PID 2044 wrote to memory of 1996	2044	cmd.exe	31
PID 2044 wrote to memory of 1996	2044	cmd.exe	31
PID 2000 wrote to memory of 1628	2000	rundll32.exe	32
PID 2000 wrote to memory of 1628	2000	rundll32.exe	32
PID 2000 wrote to memory of 1628	2000	rundll32.exe	32
PID 2000 wrote to memory of 1628	2000	rundll32.exe	32
PID 2000 wrote to memory of 532	2000	rundll32.exe	34
PID 2000 wrote to memory of 532	2000	rundll32.exe	34
PID 2000 wrote to memory of 532	2000	rundll32.exe	34
PID 2000 wrote to memory of 532	2000	rundll32.exe	34
PID 2000 wrote to memory of 1852	2000	rundll32.exe	36
PID 2000 wrote to memory of 1852	2000	rundll32.exe	36
PID 2000 wrote to memory of 1852	2000	rundll32.exe	36
PID 2000 wrote to memory of 1852	2000	rundll32.exe	36
PID 1852 wrote to memory of 1756	1852	cmd.exe	38
PID 1852 wrote to memory of 1756	1852	cmd.exe	38
PID 1852 wrote to memory of 1756	1852	cmd.exe	38
PID 1852 wrote to memory of 1756	1852	cmd.exe	38
PID 2000 wrote to memory of 672	2000	rundll32.exe	40
PID 2000 wrote to memory of 672	2000	rundll32.exe	40
PID 2000 wrote to memory of 672	2000	rundll32.exe	40
PID 2000 wrote to memory of 672	2000	rundll32.exe	40
PID 2000 wrote to memory of 1420	2000	rundll32.exe	42
PID 2000 wrote to memory of 1420	2000	rundll32.exe	42
PID 2000 wrote to memory of 1420	2000	rundll32.exe	42
PID 2000 wrote to memory of 1420	2000	rundll32.exe	42
PID 2000 wrote to memory of 328	2000	rundll32.exe	44
PID 2000 wrote to memory of 328	2000	rundll32.exe	44
PID 2000 wrote to memory of 328	2000	rundll32.exe	44
PID 2000 wrote to memory of 328	2000	rundll32.exe	44
PID 2000 wrote to memory of 940	2000	rundll32.exe	46
PID 2000 wrote to memory of 940	2000	rundll32.exe	46
PID 2000 wrote to memory of 940	2000	rundll32.exe	46
PID 2000 wrote to memory of 940	2000	rundll32.exe	46
PID 2000 wrote to memory of 552	2000	rundll32.exe	48
PID 2000 wrote to memory of 552	2000	rundll32.exe	48
PID 2000 wrote to memory of 552	2000	rundll32.exe	48
PID 2000 wrote to memory of 552	2000	rundll32.exe	48
PID 2000 wrote to memory of 1872	2000	rundll32.exe	50
PID 2000 wrote to memory of 1872	2000	rundll32.exe	50
PID 2000 wrote to memory of 1872	2000	rundll32.exe	50
PID 2000 wrote to memory of 1872	2000	rundll32.exe	50
PID 2000 wrote to memory of 1920	2000	rundll32.exe	52
PID 2000 wrote to memory of 1920	2000	rundll32.exe	52
PID 2000 wrote to memory of 1920	2000	rundll32.exe	52
PID 2000 wrote to memory of 1920	2000	rundll32.exe	52
PID 2000 wrote to memory of 2036	2000	rundll32.exe	56
PID 2000 wrote to memory of 2036	2000	rundll32.exe	56
PID 2000 wrote to memory of 2036	2000	rundll32.exe	56
PID 2000 wrote to memory of 2036	2000	rundll32.exe	56

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c066b81c4b8b0703f81f8bc6fb432992.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c066b81c4b8b0703f81f8bc6fb432992.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c dir "c:\program files" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c dir "c:\program files (x86)" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\11.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\12.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\14.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:328
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:552
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\18.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
    3⤵
    PID:1920
- - C:\Users\Admin\AppData\Roaming\desktop.exe
    C:\Users\Admin\AppData\Roaming\desktop.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\desktop.exe

Filesize
164KB

MD5
09f31e68d0d8993ca42697e0224c44b2

SHA1
7d58313e2fa7081c514c8e6f13173975f4c4ee3a

SHA256
0ff4a0d1f75ceb319cf0cbe129b37fa345ba36262cccadc43645bb1058637eb4

SHA512
a69c8ddab9d9718c0a0e9bc827bffc6b0459d5ebef02f9c6e9b1da3badd2cd28a1fbc4a081513ad0296dada98902487af2600bb926186ec594ee560bd8e46447

Download Submit
C:\Users\Admin\AppData\Roaming\info.ini

Filesize
8KB

MD5
a625dc9748ad90168bb8703cbb9e7218

SHA1
d969b10ea37e8b3a5d1ceea61f5bda6135620a5d

SHA256
440e2ae35d7fd323b7592671cdf94def0ff49ae1bc4da0abae5bb5aa744910ea

SHA512
5b890eb2c7259ea59dac82fd02587055549e3471b35d0f94cb0218079214ffe017a701cee375933249ba09df74032166d8895bb32080b058d8a507d954261617

Download Submit
C:\Users\Admin\AppData\Roaming\info.ini

Filesize
8KB

MD5
f207ad69d8acb40013e60daab1707e5a

SHA1
8870d9458f6c13b9d1ee2cfce4463d79e2766ccb

SHA256
4be4c726e1457ca3dbbf8bafc1bdf9c8e5e3d29e4857217b00bf3be5b9645fb4

SHA512
44f09c891578e7248060225e584d02ce5bf00f2f478d69b3f61996474af5bbe322669ce1f90c1d92e0e823b1894bda6727637a1b8e963b027d8957600fc86d69

Download Submit
C:\Users\Admin\appdata\Roaming\info.ini

Filesize
4KB

MD5
31f44640fc0435e1986ea7bedaea3c3c

SHA1
1e44ac0b561b9a21df0b54515379269ba9a0a688

SHA256
0d0874dcfeefbbbd8b4f1496b4572bbfd7383eaf0b7b4aeb8002510820d34a6c

SHA512
d23a45b136d077cdc3aed15d55323ebff0b975b6683988e9995d4fce14a0555114754504099457b1468d8925552622cc638dd37a4ab240cf139d9e56f18d4ed2

Download Submit
C:\Users\Admin\appdata\Roaming\info.ini

Filesize
5KB

MD5
33854b1833443cc8eeba15358632ebdb

SHA1
976ba90b7aaff509cee91e7eb303bba222f6b618

SHA256
a41e9f2775805f7ef37420c59ece60325001282abf264e998ecf65dc3406b6be

SHA512
13574141adf8d4f723672270226db134330d7275107c1e6554f14e41d5e6ee0ea52d0ab3cc64c5dcf8a56a3e34568b39499edf45b74b50baf79204ca951424fa

Download Submit
C:\Users\Admin\appdata\Roaming\info.ini

Filesize
5KB

MD5
33854b1833443cc8eeba15358632ebdb

SHA1
976ba90b7aaff509cee91e7eb303bba222f6b618

SHA256
a41e9f2775805f7ef37420c59ece60325001282abf264e998ecf65dc3406b6be

SHA512
13574141adf8d4f723672270226db134330d7275107c1e6554f14e41d5e6ee0ea52d0ab3cc64c5dcf8a56a3e34568b39499edf45b74b50baf79204ca951424fa

Download Submit
\Users\Admin\AppData\Roaming\desktop.exe

Filesize
164KB

MD5
09f31e68d0d8993ca42697e0224c44b2

SHA1
7d58313e2fa7081c514c8e6f13173975f4c4ee3a

SHA256
0ff4a0d1f75ceb319cf0cbe129b37fa345ba36262cccadc43645bb1058637eb4

SHA512
a69c8ddab9d9718c0a0e9bc827bffc6b0459d5ebef02f9c6e9b1da3badd2cd28a1fbc4a081513ad0296dada98902487af2600bb926186ec594ee560bd8e46447

Download Submit
memory/2000-65-0x0000000075070000-0x0000000075174000-memory.dmp

Filesize
1.0MB

Download
memory/2000-64-0x0000000074F60000-0x0000000075064000-memory.dmp

Filesize
1.0MB

Download
memory/2000-71-0x0000000075070000-0x0000000075174000-memory.dmp

Filesize
1.0MB

Download
memory/2000-72-0x0000000074F60000-0x0000000075064000-memory.dmp

Filesize
1.0MB

Download
memory/2000-73-0x0000000075070000-0x0000000075174000-memory.dmp

Filesize
1.0MB

Download
memory/2000-54-0x0000000074F60000-0x0000000075064000-memory.dmp

Filesize
1.0MB

Download
memory/2000-79-0x0000000075070000-0x00000000750AC000-memory.dmp

Filesize
240KB

Download
memory/2000-80-0x0000000074F60000-0x0000000075064000-memory.dmp

Filesize
1.0MB

Download