Overview

overview

10

Static

static

7

c066b81c4b...92.dll

windows7-x64

10

c066b81c4b...92.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2023 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c066b81c4b8b0703f81f8bc6fb432992.dll

  • Size

    272KB

  • MD5

    c066b81c4b8b0703f81f8bc6fb432992

  • SHA1

    2508f5ff0c28356c0c3f8e6cae7b750d53495bca

  • SHA256

    63b4bd01f80d43576c279adf69a5582129e81cc4adbd03675909581643765ea8

  • SHA512

    b0b847f1c0fe52b0c32af9a0708ac0c6584cb151d6640dbed61d7842bc7cfa70e7aca5e2d324677095ad416fe9fd14f73056ff01620f0f3919cf4d3c82bb6bc2

  • SSDEEP

    6144:SrrUrTgMun07ApvXb3K9W9RqL6io/O64azPFyR1I6nGBvY:SrgPpa07Apj3+W9RqL4/hbFyIfY

Score
10/10
golddragonbackdoorvmprotect

Malware Config

Signatures

  • GoldDragon

    GoldDragon is a second-stage backdoor attributed to Kimsuky.

    backdoorgolddragon
  • Blocklisted process makes network request 3 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks system information in the registry 2 TTPs 1 IoCs

    System information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c066b81c4b8b0703f81f8bc6fb432992.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c066b81c4b8b0703f81f8bc6fb432992.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Checks system information in the registry
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ipconfig/all >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c dir "c:\program files" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
        3⤵
          PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c dir "c:\program files (x86)" >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
          3⤵
            PID:3508
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c tasklist >> "C:\Users\%USERNAME%\appdata\Roaming\info.ini"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1384
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1156
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\SOFTWARE\Microsoft\Office\11.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
            3⤵
              PID:4788
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\SOFTWARE\Microsoft\Office\12.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
              3⤵
                PID:1904
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\SOFTWARE\Microsoft\Office\14.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                3⤵
                  PID:3724
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                  3⤵
                    PID:3592
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                    3⤵
                      PID:4324
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                      3⤵
                        PID:4944
                      • C:\Windows\SysWOW64\reg.exe
                        reg add "HKCU\SOFTWARE\Microsoft\Office\18.0\Word\Security" /v VBAWarnings /t reg_dword /d 1 /f
                        3⤵
                          PID:2500

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\info.ini
                      Filesize

                      11KB

                      MD5

                      8d48e32a1d05f7de53578c243c15bc4d

                      SHA1

                      8d83bfd83657a63f12ced3ac12dc0a7bfcf4b0cb

                      SHA256

                      c362165eb0fd028f3b8218e93e7a8568b9462c3e08ae3a0f7470471ba18bb7a9

                      SHA512

                      41d8708345f1e4206ca5221c5b209844585c13fad1096fc53bdbc38e9cf7fe69439e57bbc7a59533cc76975dc2ba12f2e5c5d2ae09f5567eb51a84c54a2645ca

                      Download Submit

                    • C:\Users\Admin\appdata\Roaming\info.ini
                      Filesize

                      3KB

                      MD5

                      4c99cc8d749aab0ea5210dd780238ba3

                      SHA1

                      49e4789566155e5b0210f1304b45f0ce61f0df70

                      SHA256

                      4a39a0ff98346047f9a604b7fedb6ba11eb32a1e860506cf0838a77ee871b3eb

                      SHA512

                      c1609dbf106e7e54309eb8eb0e156b7c77fbae83d577a4f518a2025c51c4c737c9e47ed9e4adfd23155a8ed256db2f6a12160b7db241ade2b0e9660048223d1b

                      Download Submit

                    • C:\Users\Admin\appdata\Roaming\info.ini
                      Filesize

                      4KB

                      MD5

                      f1dcd50901a0df885bcad291d362804e

                      SHA1

                      b482741be9f01f7e3e07388707ce27ac772164a6

                      SHA256

                      a5ca3f45cb937278c0903a0c4ad14df2a493a4123dec6177389c4bd3b0a6ced3

                      SHA512

                      af50a6c0de060c0e58c86208f4fb6823c85829fa43e717f08b5e63e5eacecacce193bfec85beaa5e50203803321238ca4af5e0dec51862ec3484f957f5f1ee6d

                      Download Submit

                    • C:\Users\Admin\appdata\Roaming\info.ini
                      Filesize

                      4KB

                      MD5

                      f1dcd50901a0df885bcad291d362804e

                      SHA1

                      b482741be9f01f7e3e07388707ce27ac772164a6

                      SHA256

                      a5ca3f45cb937278c0903a0c4ad14df2a493a4123dec6177389c4bd3b0a6ced3

                      SHA512

                      af50a6c0de060c0e58c86208f4fb6823c85829fa43e717f08b5e63e5eacecacce193bfec85beaa5e50203803321238ca4af5e0dec51862ec3484f957f5f1ee6d

                      Download Submit

                    • memory/4696-133-0x0000000075630000-0x0000000075734000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/4696-137-0x0000000075630000-0x0000000075734000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/4696-149-0x0000000075630000-0x0000000075734000-memory.dmp

                      Filesize

                      1.0MB

                      Download