gootkit | 1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c

Analysis

max time kernel
72s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe
Size

268KB
MD5

4c9d497b5680901bdd4b6a3330f776b6
SHA1

0d1f10ccc8b131cd3e03e2c1654f972a154f09cc
SHA256

1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c
SHA512

c8a0e5c5c358222156543bd7da968127a7fb5a8b8d611c6e975f1328d1383dd91d01d63f62f0b34d366c72818ef3840e429c5bcee2de3c8df5662f177717b0b0

Score

10^/10

gootkit 410 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

410

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk

Attributes

vendor_id
410

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe
1704	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1896 wrote to memory of 1704	1896	1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe	28
PID 1704 wrote to memory of 2020	1704	mstsc.exe	29
PID 1704 wrote to memory of 2020	1704	mstsc.exe	29
PID 1704 wrote to memory of 2020	1704	mstsc.exe	29
PID 1704 wrote to memory of 2020	1704	mstsc.exe	29
PID 2020 wrote to memory of 980	2020	cmd.exe	31
PID 2020 wrote to memory of 980	2020	cmd.exe	31
PID 2020 wrote to memory of 980	2020	cmd.exe	31
PID 2020 wrote to memory of 980	2020	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe
"C:\Users\Admin\AppData\Local\Temp\1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\mstsc.exe
  C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7179088.bat" "C:\Users\Admin\AppData\Local\Temp\1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe""
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1deec701f0f95e56e1cd7fa7b5722b223f83062093df8def6a0df7f6fa09337c.exe"
      4⤵
      Views/modifies file attributes
      PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7179088.bat

Filesize
72B

MD5
ba14e66f089aa83cf1cd0f65173851a3

SHA1
137f6ed51b53fbb2fd9d288d0850af1d60a2fbfe

SHA256
1b4d7d43698d7445daec1117f9dca629df0376968c6798cb9e4372bef63a5cf4

SHA512
059d95835381c08c91a3332019092883486b0bd01c7e01dbad32a5a6d4c6487b08ab1218c534fdd42d6b3e96c6294ab44a1f205f28dfb5f6fa9f580fd09574f8

Download Submit
memory/1704-59-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/1896-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1896-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download