gootkit | 4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5

Analysis

max time kernel
16s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe
Size

286KB
MD5

9ed5d21bbfac7db5c250ad6d15e59d57
SHA1

72ff57e684208d64542968f64203bed304522379
SHA256

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5
SHA512

953ee514e9b558c1dc2212914949e5461bce76ac1bade5ece14540a697b23ed452f4f0aba16c7a2e11278f6e88095f1c3a976e9f2c9b4c69f550fe8373971db3
SSDEEP

6144:K0gxemAEsSJ0p5oZWVwQo6LfGoUaPCyUG1sefgWsV1KC:K711Op5oIVwQo69H52eoWsVr

Score

10^/10

gootkit 6546 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

servicemanager.icu

partnerservice.xyz

Attributes

vendor_id
6546

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

768 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
768	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.execmd.exe

description	pid	process	target process
PID 944 wrote to memory of 768	944	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 944 wrote to memory of 768	944	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 944 wrote to memory of 768	944	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 944 wrote to memory of 768	944	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 768 wrote to memory of 268	768	cmd.exe	attrib.exe
PID 768 wrote to memory of 268	768	cmd.exe	attrib.exe
PID 768 wrote to memory of 268	768	cmd.exe	attrib.exe
PID 768 wrote to memory of 268	768	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

268 attrib.exe

pid	process
268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe
"C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7130883.bat" "C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe"
3⤵
- Views/modifies file attributes
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7130883.bat
Filesize
72B

MD5
2134c182a4574a40233f2e387f61241f

SHA1
76b11c17fd6e60e2137fa8c90202a8bd08492274

SHA256
8e2dfc4ae892f2d3c543cb5d7361b1bb3654e1d05b91c23dccd4e699a7b84fda

SHA512
d1911f4db76ee5f5642dbf2a2d7abb8c3e37ed27cbc7f47781c889e0e72559d1c5e8f2430db285aeea01bf5abdd51c73f06809e996066dfe7f7f3e4258d4c625

Download Submit
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/768-55-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/944-56-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/944-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download