Overview

overview

10

Static

static

447cc763a5...8b.exe

windows7_x64

10

447cc763a5...8b.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    40s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b.exe

  • Size

    268KB

  • MD5

    ba6c566db676ab4bb59c2bebd3572e34

  • SHA1

    867b008a64d9db16fc6c3663ddf0cb5236c89d37

  • SHA256

    447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b

  • SHA512

    818a07dc63825502a16c4af9645378040da7019734c5d0415901120ffd2fac7c884415bdc141d71813deb29d738d8118c231b5381025319ef564f5a5061353db

Score
10/10
gootkit410bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

410

C2

parking.dynophyl.com

parked.dynonortheast.com

trktrk.eu

smeinsurances.co.uk
Attributes
  • vendor_id

    410

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b.exe
    "C:\Users\Admin\AppData\Local\Temp\447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7107561.bat" "C:\Users\Admin\AppData\Local\Temp\447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b.exe""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\447cc763a5679488a14b4c990a13879dda434b87029cda1874b4c4746457488b.exe"
          4⤵
          • Views/modifies file attributes
          PID:1592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7107561.bat
    Filesize

    72B

    MD5

    843d4220f1c3c75e4506b9d5beff12a6

    SHA1

    0349177c8ec3265bba9235c29cafb85c45f43888

    SHA256

    ac1a92e2295f56287d771e406123a64d3228388b9b86069c6008629570725dd1

    SHA512

    4a207bb3bfb858b55fa5d4f8d1d9a7be9e5c05088277cfbb4cc94957ac399f7c9235f7c2c686bafdbe82b5ffbff4e25fe945582de7e76ceed9e42f248d47b778

    Download Submit

  • memory/864-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1004-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1004-59-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1376-56-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1592-61-0x0000000000000000-mapping.dmp

    Download