Analysis

  • max time kernel
    1s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2022 10:37

General

  • Target

    1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe

  • Size

    324KB

  • MD5

    3db1e36f7d4dcf040e60114e8c43fea5

  • SHA1

    d9593fb5ef255e990e6c13e5a33c37666bdd2436

  • SHA256

    1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad

  • SHA512

    c2d134a73c6b38ffaf8b2afcf7d1d5db8571d58542a424ca4156903513ecdc0548b7808b56cc75ad151a554e00b8402d9ca3ca9301007c59432cae519c822c87

  • SSDEEP

    3072:BGLsImbWiEPUDB3utSIS/LV4amVDGVy2EF5PSyA1Rsi3NEU0lWwJx/ILM+mKxLx0:BnE+/LV4/uEXox0AwD/ILuKxLxM8tfq

Malware Config

Extracted

Family

gootkit

Botnet

2222

C2

lulz.oromiablog.com

lala.oromianews.com

lond24don13cap4ital.com

Attributes
  • vendor_id

    2222

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe
    "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7070776.bat" "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe"
          4⤵
          • Views/modifies file attributes
          PID:1536

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7070776.bat

    Filesize

    72B

    MD5

    9e4efa2b150999a4abdeac5dc0883588

    SHA1

    d6c000f3fb90add145dd92f3590f87839697f054

    SHA256

    c49673ec5bbfaf69b0c71cabdb824f50ea4ae583f73e04592f36fd195d13c20f

    SHA512

    88116780980cd7f8fad5a82f4604b0f0b7ab9235c70ffb594b1c1b363a6db82ddb63c748fac577bb019a6657d52ba0b76a8d4b1df8e86a8272afa67601bbec53

  • memory/1632-59-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/1988-54-0x000000004E150000-0x000000004E1A5000-memory.dmp

    Filesize

    340KB

  • memory/1988-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

    Filesize

    8KB