Analysis

  • max time kernel
    41s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 17:42

General

  • Target

    f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

  • Size

    286KB

  • MD5

    2ea0561bb3cdae9cf682703de2933a43

  • SHA1

    827696cf98926dea8bfde038de228b7778d0ff56

  • SHA256

    f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e

  • SHA512

    e6fac7e489e967cb2174016e3236b0acfe60625b8286bc35dd35c0c5cd5716b284891f68033b05b211380dd135aabd93ff25e18ed8ddeb0c536e29bbc7f92cdb

  • SSDEEP

    6144:FBeVV56G+JCBe35SVPilxd50wX2n9RzozaFCu6/u3W:FBgVNPwdR2oOkuku3W

Malware Config

Extracted

Family

gootkit

Botnet

6546

C2

servicemanager.icu

partnerservice.xyz

Attributes
  • vendor_id

    6546

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
    "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7076876.bat" "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
        3⤵
        • Views/modifies file attributes
        PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7076876.bat

    Filesize

    72B

    MD5

    7dc5cd6c3a9e7b5a1e51cf7e6a8a2e68

    SHA1

    125b2d5a82e1cedcb03f187f75794ae55e7df617

    SHA256

    3227f23f12b2ae5b620cbe398976c865a8f0eae1c453a2fc8d3aac1e5c12c90c

    SHA512

    f280b22bd64bab9bf11b489f96b8fff2196f09aca855a3e61803fe75c5aa31c7e759d5aa9c9a243f84df04685e858280695a324d2668b396b9ebdf22a0e01098

  • memory/1636-54-0x0000000075071000-0x0000000075073000-memory.dmp

    Filesize

    8KB

  • memory/1636-56-0x0000000000260000-0x0000000000263000-memory.dmp

    Filesize

    12KB

  • memory/1636-57-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB