Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-02-2022 21:25
General
-
Target
c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353.exe
-
Size
287KB
-
MD5
ef45a5b40438205dc050f4afebc278b5
-
SHA1
6760ea10d2e201b688d841ee11c841653ede94f5
-
SHA256
c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353
-
SHA512
fcceff6a644a09fdae46ffc306743277d6cc078c273b7dd6f85be97592aa23ca4631bf6564dbd130f9aaa38536066af3b61713a07984e9d7e0a9909cd635b021
Score
10/10
Malware Config
Extracted
Family
gootkit
Botnet
6546
C2
servicemanager.icu
partnerservice.xyz
Attributes
-
vendor_id
6546
Signatures
-
Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353.exe"C:\Users\Admin\AppData\Local\Temp\c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259370850.bat" "C:\Users\Admin\AppData\Local\Temp\c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\c1ae38afb6c82b9107868d66318095f1c00f1e92dddc0ee953c23a8de4ace353.exe"3⤵
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
176KB