Analysis

  • max time kernel
    4s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2022 10:37

General

  • Target

    1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe

  • Size

    324KB

  • MD5

    3db1e36f7d4dcf040e60114e8c43fea5

  • SHA1

    d9593fb5ef255e990e6c13e5a33c37666bdd2436

  • SHA256

    1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad

  • SHA512

    c2d134a73c6b38ffaf8b2afcf7d1d5db8571d58542a424ca4156903513ecdc0548b7808b56cc75ad151a554e00b8402d9ca3ca9301007c59432cae519c822c87

  • SSDEEP

    3072:BGLsImbWiEPUDB3utSIS/LV4amVDGVy2EF5PSyA1Rsi3NEU0lWwJx/ILM+mKxLx0:BnE+/LV4/uEXox0AwD/ILuKxLxM8tfq

Malware Config

Extracted

Family

gootkit

Botnet

2222

C2

lulz.oromiablog.com

lala.oromianews.com

lond24don13cap4ital.com

Attributes
  • vendor_id

    2222

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe
    "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240545875.bat" "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1719cf1042e64bb5cef873edbd08c6f9d741e4747ab2e051a9cd8bcc43bc88ad.exe"
          4⤵
          • Views/modifies file attributes
          PID:4268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240545875.bat

    Filesize

    76B

    MD5

    45c0acd453343c9c8adb1861a839a259

    SHA1

    492ec48e17c1149bf78470d20633b49b494c04d0

    SHA256

    35b5005d20a6c58f7da171d822ad0e169d56112654a308f8ee17b1c7866be9d5

    SHA512

    040845980a3236034cd58807a3757a59ec396df1492877435451b30d015958b7f5afc7282cbf8efff0f5490d1cef8149cb06610e72bf58814024e9379f3b5cca

  • memory/1696-136-0x00000000012D0000-0x00000000012F0000-memory.dmp

    Filesize

    128KB

  • memory/2256-132-0x00000000026B0000-0x00000000026D6000-memory.dmp

    Filesize

    152KB

  • memory/2256-133-0x000000004E150000-0x000000004E1A5000-memory.dmp

    Filesize

    340KB