Analysis

  • max time kernel
    61s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-02-2021 16:43

General

  • Target

    e561ae3cedb6f9fc0ecff559c62788b0.exe

  • Size

    293KB

  • MD5

    e561ae3cedb6f9fc0ecff559c62788b0

  • SHA1

    de34eb34e2c489386fb32dd96469e7fdcef617d9

  • SHA256

    38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab

  • SHA512

    c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757

Malware Config

Extracted

Family

gootkit

Botnet

8888

C2

sslsecurehost.com

securessl256.com

Attributes
  • vendor_id

    8888

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 90 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
    "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
      "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe" -l
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
        C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe
        3⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Windows\SysWOW64\mstsc.exe
          C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3836
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259276781.bat" "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3568
            • C:\Windows\SysWOW64\attrib.exe
              attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"
              6⤵
              • Views/modifies file attributes
              PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Defense Evasion

Hidden Files and Directories

1
T1158

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259276781.bat
    MD5

    7b569f3b7cebae84513d4385c4336185

    SHA1

    7e0eb7c0e5120685bde25741e139adbb871c92cf

    SHA256

    ea8ca59e1ff3564ab382604ae12d09a6975baefe26bbdbbbb69c53480329f309

    SHA512

    a1fd7ff62aae4552e40ff122a77b3da07b46defcde581ea13436fb07df35a0cf931cc8a15b33205713a7d8d7ad58c392f7930f4e9ecc548df0441726fa2f644f

  • memory/3284-3-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/3284-4-0x000000000040EA92-mapping.dmp
  • memory/3284-6-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/3568-8-0x0000000000000000-mapping.dmp
  • memory/3836-5-0x0000000000000000-mapping.dmp
  • memory/3836-7-0x0000000002E70000-0x0000000002E90000-memory.dmp
    Filesize

    128KB

  • memory/4056-10-0x0000000000000000-mapping.dmp
  • memory/4172-2-0x0000000000000000-mapping.dmp