Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09-09-2024 15:35
General
-
Target
5ebe93ffd5359b09f31e63be4e531ec72002874c5edb53b936f0e2879ff0ad4c.dll
-
Size
427KB
-
MD5
a11f717d224a2f229309c6b782e6810f
-
SHA1
4e97c89baf50699d2f49a296fd32847a2e11b1dc
-
SHA256
5ebe93ffd5359b09f31e63be4e531ec72002874c5edb53b936f0e2879ff0ad4c
-
SHA512
da1cba063eb02b36a5a77d9a338de29940bdfa866f37b2c8daf4ffc0aa2e139ed3a7643a1dd61e35e04c278574a13c29ee6d758a76f82b23a38452d3c3f1615b
-
SSDEEP
1536:1oc54q3DWrYOBvnXzyTn25XZKz6ctkzIph3wessmPr1if/959M:1T54Wed7AzKJessmk959
Score
10/10
Malware Config
Signatures
-
GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
-
Blocklisted process makes network request 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ebe93ffd5359b09f31e63be4e531ec72002874c5edb53b936f0e2879ff0ad4c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ebe93ffd5359b09f31e63be4e531ec72002874c5edb53b936f0e2879ff0ad4c.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-