gootkit | 4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5

Analysis

max time kernel
69s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe
Size

286KB
MD5

9ed5d21bbfac7db5c250ad6d15e59d57
SHA1

72ff57e684208d64542968f64203bed304522379
SHA256

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5
SHA512

953ee514e9b558c1dc2212914949e5461bce76ac1bade5ece14540a697b23ed452f4f0aba16c7a2e11278f6e88095f1c3a976e9f2c9b4c69f550fe8373971db3
SSDEEP

6144:K0gxemAEsSJ0p5oZWVwQo6LfGoUaPCyUG1sefgWsV1KC:K711Op5oIVwQo69H52eoWsVr

Score

10^/10

gootkit 6546 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

servicemanager.icu

partnerservice.xyz

Attributes

vendor_id
6546

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.execmd.exe

description	pid	process	target process
PID 4348 wrote to memory of 1756	4348	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 4348 wrote to memory of 1756	4348	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 4348 wrote to memory of 1756	4348	4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe	cmd.exe
PID 1756 wrote to memory of 804	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 804	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 804	1756	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

804 attrib.exe

pid	process
804	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe
"C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240574828.bat" "C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4d0396d7923a7bdccac984adf6c725b44ae58e1418daa81d9fd01fcbb658b4e5.exe"
    3⤵
    - Views/modifies file attributes
    PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240574828.bat

Filesize
76B

MD5
946a590fd9252ff9a7b7ca292faf26e9

SHA1
33d6191d0be5f1aca09524fc7d26a4854e868973

SHA256
7f943378990d7ab575c6c82d34f17d9e28831efbab663ab704805f338db2787a

SHA512
a2c6fd8cae4488859e216df0a4575ec0fceaf604ae5000108d02d17d77434460d22d32897010707f02e22950b3f6fe14063cbf44483040eff539484422abdf0c

Download Submit
memory/804-136-0x0000000000000000-mapping.dmp

Download
memory/1756-132-0x0000000000000000-mapping.dmp

Download
memory/4348-133-0x00000000005D0000-0x00000000005D3000-memory.dmp

Filesize
12KB

Download
memory/4348-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download