gootkit | 5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468

General

Target

5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe
Size

286KB
MD5

350c0b08ec0452a070bbed6fc730b17c
SHA1

15d23e2d535bf6540491fdaae6ef8d617ec47930
SHA256

5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468
SHA512

725cd3062b4aa68eb93a7bc1a3f7318f84cf003a296e2bfe11b884579ea8a0f6e25d86821fce3c4c40ae0e5fb67ab167aafafb65e9d7451c9923327eb9123a3c

Score

10^/10

gootkit 6546 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

C2

servicemanager.icu

partnerservice.xyz

Attributes

vendor_id
6546

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2336	svchost.exe
Token: SeCreatePagefilePrivilege	2336	svchost.exe
Token: SeShutdownPrivilege	2336	svchost.exe
Token: SeCreatePagefilePrivilege	2336	svchost.exe
Token: SeShutdownPrivilege	2336	svchost.exe
Token: SeCreatePagefilePrivilege	2336	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 2644	4924	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	82
PID 4924 wrote to memory of 2644	4924	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	82
PID 4924 wrote to memory of 2644	4924	5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe	82
PID 2644 wrote to memory of 2528	2644	cmd.exe	84
PID 2644 wrote to memory of 2528	2644	cmd.exe	84
PID 2644 wrote to memory of 2528	2644	cmd.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe
"C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30230750.bat" "C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\5766bffa91f87cd08582fac05209c5d8d9356ad88e15499038dc624c0ccbc468.exe"
    3⤵
    - Views/modifies file attributes
    PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2336-134-0x000001E540120000-0x000001E540130000-memory.dmp

Filesize
64KB

Download
memory/2336-135-0x000001E540180000-0x000001E540190000-memory.dmp

Filesize
64KB

Download
memory/2336-136-0x000001E542850000-0x000001E542854000-memory.dmp

Filesize
16KB

Download
memory/4924-131-0x00000000005E0000-0x00000000005E3000-memory.dmp

Filesize
12KB

Download
memory/4924-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads