Analysis

  • max time kernel
    41s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-05-2022 21:47

General

  • Target

    087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe

  • Size

    264KB

  • MD5

    af0b810ee30058e5cea264fed2a15f05

  • SHA1

    7aae8004f0042d3c4d250ace81053dbc3e31fecf

  • SHA256

    087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555

  • SHA512

    56b7da6973995c0e007ce78f62c5a45db54f8448ff7f0af6fcebe1a5f63c5d30b6864b7d0ae5c940f0db1d12c7363d87037a2b166caf51bc9b32175a95072710

Malware Config

Extracted

Family

gootkit

Botnet

410

C2

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk

Attributes
  • vendor_id

    410

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe
    "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7075128.bat" "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\087b9f549d23316dc43dd3f6b2280fdfde113bc457b785066f8657115a7ef555.exe"
          4⤵
          • Views/modifies file attributes
          PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Defense Evasion

Hidden Files and Directories

1
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7075128.bat
    Filesize

    72B

    MD5

    a1cfbeed0549939c8213ab115db42853

    SHA1

    21368c8b4d778c4a48962bdabf14e4dfbbea40e6

    SHA256

    dae93a002c717e67ac4fe17e7732856bb8d88160cb29a417af0ba140f8768ec6

    SHA512

    82bd28ddac8816a8e75f3c864b6c3ff4b88247a03bdca356d9a41e01d7183a6a2ef68f1b899c3d1b65920e7cac67c900606abaac20296b458b45bb64c45936f1

  • memory/848-58-0x0000000000000000-mapping.dmp
  • memory/1060-61-0x0000000000000000-mapping.dmp
  • memory/1796-54-0x0000000076461000-0x0000000076463000-memory.dmp
    Filesize

    8KB

  • memory/1796-55-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

  • memory/2032-56-0x0000000000000000-mapping.dmp
  • memory/2032-59-0x0000000000080000-0x00000000000A0000-memory.dmp
    Filesize

    128KB