golddragon | 3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5

Analysis

max time kernel
367s
max time network
482s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.dll
Size

481KB
MD5

e647b3366dc836c1f63bdc5ba2aef3a9
SHA1

a7b0711b45081768817e85d6fc76e23093093f87
SHA256

3903958eb28632aa58e455eb87482d1ccef38a6fe43512baad30902e8bfdd6d5
SHA512

39166d31017b238b4cae861ab263e3dd11260c0203fc8dcfd41461f3b850126ba954bcf9fb7678ceb63dc2e2f252bd6e20f7f33aed1a81db8c0d89c56be5dfcb
SSDEEP

12288:L5VaR+IeIcFHazhjpniikvx4/qs6iDwEHtDWT:L5SjcFyhjp0x4/qs6VEt

Score

10^/10

golddragon backdoor persistence spyware stealer

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

GoldDragon 2021 Stage2 infostealer 4 IoCs

Detect GoldDragon InfoStealer Stage 2.

stealer

Processes:

resource	yara_rule
behavioral1/memory/1052-15-0x0000000000080000-0x00000000000D9000-memory.dmp	golddragon_stage2
behavioral1/memory/1052-16-0x0000000000080000-0x00000000000D9000-memory.dmp	golddragon_stage2
behavioral1/memory/1052-17-0x0000000000080000-0x00000000000D9000-memory.dmp	golddragon_stage2
behavioral1/memory/1052-18-0x0000000000080000-0x00000000000D9000-memory.dmp	golddragon_stage2

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dropbox = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\OneDriver\\down\\OneDrivecache.dll\" Run"	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.exesvchost.exe

description	pid	process	target process
PID 1068 set thread context of 1052	1068	rundll32.exe	svchost.exe
PID 1052 set thread context of 2784	1052	svchost.exe	iexplore.exe
PID 1052 set thread context of 1676	1052	svchost.exe	iexplore.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3036 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2772 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2620 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1804 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1052 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1804 taskkill.exe
Token: SeDebugPrivilege 3036 tasklist.exe

pid	process
3036	tasklist.exe

pid	process
2772	ipconfig.exe

pid	process
2620	systeminfo.exe

pid	process
1804	taskkill.exe

pid	process
1052	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	3036	tasklist.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 2856 wrote to memory of 1068	2856	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 2272	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2272	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2272	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2272	1068	rundll32.exe	cmd.exe
PID 2272 wrote to memory of 1804	2272	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 1804	2272	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 1804	2272	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 1804	2272	cmd.exe	taskkill.exe
PID 1068 wrote to memory of 2608	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2608	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2608	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2608	1068	rundll32.exe	cmd.exe
PID 2608 wrote to memory of 2772	2608	cmd.exe	ipconfig.exe
PID 2608 wrote to memory of 2772	2608	cmd.exe	ipconfig.exe
PID 2608 wrote to memory of 2772	2608	cmd.exe	ipconfig.exe
PID 2608 wrote to memory of 2772	2608	cmd.exe	ipconfig.exe
PID 2608 wrote to memory of 2544	2608	cmd.exe	ARP.EXE
PID 2608 wrote to memory of 2544	2608	cmd.exe	ARP.EXE
PID 2608 wrote to memory of 2544	2608	cmd.exe	ARP.EXE
PID 2608 wrote to memory of 2544	2608	cmd.exe	ARP.EXE
PID 1068 wrote to memory of 2536	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2536	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2536	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2536	1068	rundll32.exe	cmd.exe
PID 2536 wrote to memory of 2620	2536	cmd.exe	systeminfo.exe
PID 2536 wrote to memory of 2620	2536	cmd.exe	systeminfo.exe
PID 2536 wrote to memory of 2620	2536	cmd.exe	systeminfo.exe
PID 2536 wrote to memory of 2620	2536	cmd.exe	systeminfo.exe
PID 1068 wrote to memory of 2700	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2700	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2700	1068	rundll32.exe	cmd.exe
PID 1068 wrote to memory of 2700	1068	rundll32.exe	cmd.exe
PID 2700 wrote to memory of 3036	2700	cmd.exe	tasklist.exe
PID 2700 wrote to memory of 3036	2700	cmd.exe	tasklist.exe
PID 2700 wrote to memory of 3036	2700	cmd.exe	tasklist.exe
PID 2700 wrote to memory of 3036	2700	cmd.exe	tasklist.exe
PID 1068 wrote to memory of 1052	1068	rundll32.exe	svchost.exe
PID 1068 wrote to memory of 1052	1068	rundll32.exe	svchost.exe
PID 1068 wrote to memory of 1052	1068	rundll32.exe	svchost.exe
PID 1068 wrote to memory of 1052	1068	rundll32.exe	svchost.exe
PID 1068 wrote to memory of 1052	1068	rundll32.exe	svchost.exe
PID 1068 wrote to memory of 1052	1068	rundll32.exe	svchost.exe
PID 1052 wrote to memory of 2784	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 2784	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 2784	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 2784	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 2784	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 2784	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 1676	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 1676	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 1676	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 1676	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 1676	1052	svchost.exe	iexplore.exe
PID 1052 wrote to memory of 1676	1052	svchost.exe	iexplore.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\payload.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\payload.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im daumcleaner.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im daumcleaner.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ipconfig/all >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat" & arp -a >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2772
  - - C:\Windows\SysWOW64\ARP.EXE
      arp -a
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c systeminfo >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tasklist >>"C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3036
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:2784
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fcefedeb9d5a79133f4c86e0a362cc4

SHA1
60a8b680e0fa29cf2f0206c071a5b35d6a396e8b

SHA256
e6dbb0d9701aec8150b38a409bcca97d1a7306b1085228d32bea37cd0528f120

SHA512
1bc70c5f4c9043032950c2a45782d47c9173f97a14413ea5bf8f9d6d7ff6ac67027d5922b696c5ace860906eca2bb16f7c75e51f7269ecdf59487bac5312f559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e439a0ceebfb6fe38ab46632f038266e

SHA1
daa624858b6aedcf9eda543de4ea43b68f5581b5

SHA256
23825ffcb58783c0272673c2ce144c56a26d8f6a001d52ba2612926387330fd8

SHA512
d72355eab82d13ac5e2e96b48dacf333c6d2f543ae01450e9383f13f7613c7c685238f0c84d831ee8956d37a41e0731ba2ab3b73f398df09f09e144f0f2bd616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9BB9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_000.dat

Filesize
1.2MB

MD5
1d7a39c4187a5e097fedcbdc571121d7

SHA1
22c575fe1401faae5281bcf6553af0732bf6ceaf

SHA256
612144b1e166b44f06ba4d60192b3d4391efab77725d04eefc3d41c6b957e4c2

SHA512
c75fcff115163d3a635e90495da4308cf7effd6fa46feb1dbb0412e58d3b00a30e12e0468537f4da0b8eace9adfe1e62cf4d97dd132f4dc4116e68f98fbe5a37

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

Filesize
3KB

MD5
3bc7da930c0a7a1ec15354a756692c17

SHA1
185e0cac5874b4b5907192c09adc9ff5c0ada036

SHA256
970fb9d8ead5af57262814edb924bc0cd599a7f140eb77c55790f07118f92b39

SHA512
d0a63bbf9190b85c3270ac81861e0ddb80d2ba5b5fa433b5948c4820f5c4ccbfcf0a594940b7320e560435cbd55cd383d075cb20a613ef9d445eaca2ef735fbf

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

Filesize
6KB

MD5
800f1cc19b3f3d14dc9da990409355e2

SHA1
5cb7473a96b7b4947a1934c02eaf2a7d9a084824

SHA256
bab45e28cd50819bc412abf44ea10e7999d1874c02cce96a988f3afbe29ffeb1

SHA512
d7215b3e71d6b34b8e7764fd5290de70983916656ce81717ffca272f65f4c3ae60625bfd863d2a548f44df383a507afb96e26f4ef6c45c897eb091a7c9698318

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\out\PI_001.dat

Filesize
1KB

MD5
84746fde0e6dfc08358512259ddda10a

SHA1
d19bfd1d4e97313802c69b5d0dc9b9826c4a9853

SHA256
1d7812aea016af707edfb5f857f1a9d557043a0977e396bbd5526be5b47b477e

SHA512
8c2fa38ed99cf51f71c5276e1a25909f27ae63bc44d9e050c8892f5ab0cca6e3b9e738aa2ee1558b5b334c2ef963ea38d26a90a714418818c2d78a9c802cd22c

Download Submit
C:\Users\Admin\AppData\Roaming\OneDriver\post\mg_6334

Filesize
105KB

MD5
ab545fa35d6a911502abdd4a827d988c

SHA1
12e01f312e9d9ffe31aad7b29d124009563136e4

SHA256
e15804cb95a1a454f14161d704d7af8401b688d89edf347788f0d8ced6fd95eb

SHA512
2e377c29b9cbe5a2911fd1c2065170ac00e1438bf9d4a9a8e902df6854ac763f4b1d10c7f30694fb3dcf3bed89bf6049865d94f63836627082aae1ac16c216fa

Download Submit
memory/1052-18-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1052-17-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1052-12-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1052-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1052-16-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1052-15-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1676-169-0x0000000000080000-0x00000000000CA000-memory.dmp

Filesize
296KB

Download
memory/2784-33-0x0000000000190000-0x00000000001DA000-memory.dmp

Filesize
296KB

Download