golddragon | 1324acd1f720055e7941b39949116dfe72ce2e7792e70128f69e228eb48b0821

Analysis

max time kernel
1565s
max time network
1566s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goldropt5.exe
Size

513KB
MD5

0cc0aa5877cec9109b7a5a0e3a250c72
SHA1

1d49d462a11a00d8ac9608e49f055961bf79980d
SHA256

1324acd1f720055e7941b39949116dfe72ce2e7792e70128f69e228eb48b0821
SHA512

642b0d06755c78658c308167cf9e61a0e42bb792c61306c6f6976c5ebc51cbce1f795b534e4767e8106edc68bd58f16943c7acc0846cf1c67161c67c28746637
SSDEEP

12288:B/P+NYgHizBSWMJ/17sM57k0+iQkB86PGjg:BO6gH8UJ/mMWkBCg

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage2 infostealer 4 IoCs

Detect GoldDragon InfoStealer Stage 2.

stealer

resource	yara_rule
behavioral1/memory/1648-21-0x0000000000150000-0x00000000001A9000-memory.dmp	golddragon_stage2
behavioral1/memory/1648-20-0x0000000000150000-0x00000000001A9000-memory.dmp	golddragon_stage2
behavioral1/memory/1648-22-0x0000000000150000-0x00000000001A9000-memory.dmp	golddragon_stage2
behavioral1/memory/1648-23-0x0000000000150000-0x00000000001A9000-memory.dmp	golddragon_stage2

Loads dropped DLL 1 IoCs

pid	Process
2492	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dropbox = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\OneDriver\\down\\OneDrivecache.dll\" Run"	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 1648	2492	rundll32.exe	44
PID 1648 set thread context of 1892	1648	svchost.exe	47
PID 1648 set thread context of 1876	1648	svchost.exe	50

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2748	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2512	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2312	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2688	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1648	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2748	tasklist.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2044 wrote to memory of 2492	2044	goldropt5.exe	28
PID 2492 wrote to memory of 2544	2492	rundll32.exe	29
PID 2492 wrote to memory of 2544	2492	rundll32.exe	29
PID 2492 wrote to memory of 2544	2492	rundll32.exe	29
PID 2492 wrote to memory of 2544	2492	rundll32.exe	29
PID 2544 wrote to memory of 2688	2544	cmd.exe	31
PID 2544 wrote to memory of 2688	2544	cmd.exe	31
PID 2544 wrote to memory of 2688	2544	cmd.exe	31
PID 2544 wrote to memory of 2688	2544	cmd.exe	31
PID 2492 wrote to memory of 2600	2492	rundll32.exe	33
PID 2492 wrote to memory of 2600	2492	rundll32.exe	33
PID 2492 wrote to memory of 2600	2492	rundll32.exe	33
PID 2492 wrote to memory of 2600	2492	rundll32.exe	33
PID 2600 wrote to memory of 2512	2600	cmd.exe	35
PID 2600 wrote to memory of 2512	2600	cmd.exe	35
PID 2600 wrote to memory of 2512	2600	cmd.exe	35
PID 2600 wrote to memory of 2512	2600	cmd.exe	35
PID 2600 wrote to memory of 2416	2600	cmd.exe	36
PID 2600 wrote to memory of 2416	2600	cmd.exe	36
PID 2600 wrote to memory of 2416	2600	cmd.exe	36
PID 2600 wrote to memory of 2416	2600	cmd.exe	36
PID 2492 wrote to memory of 2452	2492	rundll32.exe	37
PID 2492 wrote to memory of 2452	2492	rundll32.exe	37
PID 2492 wrote to memory of 2452	2492	rundll32.exe	37
PID 2492 wrote to memory of 2452	2492	rundll32.exe	37
PID 2452 wrote to memory of 2312	2452	cmd.exe	39
PID 2452 wrote to memory of 2312	2452	cmd.exe	39
PID 2452 wrote to memory of 2312	2452	cmd.exe	39
PID 2452 wrote to memory of 2312	2452	cmd.exe	39
PID 2492 wrote to memory of 2488	2492	rundll32.exe	41
PID 2492 wrote to memory of 2488	2492	rundll32.exe	41
PID 2492 wrote to memory of 2488	2492	rundll32.exe	41
PID 2492 wrote to memory of 2488	2492	rundll32.exe	41
PID 2488 wrote to memory of 2748	2488	cmd.exe	43
PID 2488 wrote to memory of 2748	2488	cmd.exe	43
PID 2488 wrote to memory of 2748	2488	cmd.exe	43
PID 2488 wrote to memory of 2748	2488	cmd.exe	43
PID 2492 wrote to memory of 1648	2492	rundll32.exe	44
PID 2492 wrote to memory of 1648	2492	rundll32.exe	44
PID 2492 wrote to memory of 1648	2492	rundll32.exe	44
PID 2492 wrote to memory of 1648	2492	rundll32.exe	44
PID 2492 wrote to memory of 1648	2492	rundll32.exe	44
PID 2492 wrote to memory of 1648	2492	rundll32.exe	44
PID 1648 wrote to memory of 1892	1648	svchost.exe	47
PID 1648 wrote to memory of 1892	1648	svchost.exe	47
PID 1648 wrote to memory of 1892	1648	svchost.exe	47
PID 1648 wrote to memory of 1892	1648	svchost.exe	47
PID 1648 wrote to memory of 1892	1648	svchost.exe	47
PID 1648 wrote to memory of 1892	1648	svchost.exe	47
PID 1648 wrote to memory of 1876	1648	svchost.exe	50
PID 1648 wrote to memory of 1876	1648	svchost.exe	50
PID 1648 wrote to memory of 1876	1648	svchost.exe	50
PID 1648 wrote to memory of 1876	1648	svchost.exe	50
PID 1648 wrote to memory of 1876	1648	svchost.exe	50
PID 1648 wrote to memory of 1876	1648	svchost.exe	50

C:\Users\Admin\AppData\Local\Temp\goldropt5.exe
"C:\Users\Admin\AppData\Local\Temp\goldropt5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\Cleaner~.tmp" Run
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2512
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2748
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1892
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
510ebe703743552a0fb54af8b9f3b01d

SHA1
b449fdf2d0b0d139ff65a8d81770d1c65f6b318b

SHA256
4064a3bd9bb9b84bb68a20cf7028be8126f9790c1c353a12314c5a399b408304

SHA512
37a9b1a37157b47b7def76171e3053d820a8d3c940d7e8e9806ea44d5befcfd92658a59f3b4e540161cdc4bbb0f845f5729d175c9070b1cb7c9b44b5d8708bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB8DC.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_000.dat

Filesize
1.2MB

MD5
f8ae7546fc9ccd58241bd85b7740b9fd

SHA1
75581e8b1e8c86c179470b64de55468c742a5762

SHA256
bdc1401e30a7dc4e1b1071c6b5a6ee6dfd384f66e105139379f472eccc51f087

SHA512
81daf67283f73788f657bb19a75f5634927616e69cb0cf03faf5590a85dc617fd7c56a1a673f8f11a9c8240f44f1f545d56ab33a39bb7d696bf6582b64e0e706

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

Filesize
1KB

MD5
c45af9f998a2fb70722fd9c5faacd04f

SHA1
e283a1495a9b62c11b74003c557b845b9bdefdd2

SHA256
fe2fdd6b7bda4f7204b2ab5d7e3011818184a54e748c9838d09b2484f8744dec

SHA512
c8e9979adb955deef5ba02ef88ffe1778e087bb7623e9d6e2bc118ca899e9941875e846132c814a5104986e33f204e13aeaa14e36512b2ff54dd9ecf1b523f19

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

Filesize
3KB

MD5
a93a369ca9c318fa0c3a2a701ab978da

SHA1
e2c0c769f054b2456e5ee52fc3ac2678347963bd

SHA256
7ca242e7ba97d961c1ee0f27def3e1ca32124fbf7f09d86f6b447aa48c25b53a

SHA512
8411d78773824b9fa47b31237739d81a22bf578363d0b0f2740da1d25a78f3d60e53e68db12660d335bb1f542e6c78d60a78f7a94aa27cf1216a9f0050cd1e8e

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

Filesize
6KB

MD5
abd1a0bb5bbbe513d5abe61b3813ff75

SHA1
14127be62e0dccd389019d63595e9579a523ca63

SHA256
8457e7680135989a7f875193fc8ea0ab34c10759059d9ec8f7eba0d01fc9fd87

SHA512
f44a2bec71cb853c6e115f5ac0f81e544f83df8195bee77789982698f39c32cb9d0b3e830bc28114ecebee3cb62a37fdad8e84feb75586e6bc18d4cb9dcd7ef9

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\post\mg_6334

Filesize
107KB

MD5
3633a0150b6f2579f4155a49aa617728

SHA1
4a6bca80fe928e77538706dd6d2f79224511825d

SHA256
da3124007391c833d4b1dd676b33059c0dc6ac266500060a798c038fb574da72

SHA512
b5ea1cce785d880b4cf158b5f6f3ed8b102592609fc3e1358b31dc322e54918387f1dca5debbf8c6fd886edc610da7a7c12d52ee9da24e4accc3b8d50bb78611

Download Submit
memory/1648-17-0x0000000000150000-0x00000000001A9000-memory.dmp

Filesize
356KB

Download
memory/1648-23-0x0000000000150000-0x00000000001A9000-memory.dmp

Filesize
356KB

Download
memory/1648-22-0x0000000000150000-0x00000000001A9000-memory.dmp

Filesize
356KB

Download
memory/1648-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1648-20-0x0000000000150000-0x00000000001A9000-memory.dmp

Filesize
356KB

Download
memory/1648-21-0x0000000000150000-0x00000000001A9000-memory.dmp

Filesize
356KB

Download
memory/1892-38-0x0000000000080000-0x00000000000CA000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads