gootkit | f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
Size

286KB
MD5

2ea0561bb3cdae9cf682703de2933a43
SHA1

827696cf98926dea8bfde038de228b7778d0ff56
SHA256

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e
SHA512

e6fac7e489e967cb2174016e3236b0acfe60625b8286bc35dd35c0c5cd5716b284891f68033b05b211380dd135aabd93ff25e18ed8ddeb0c536e29bbc7f92cdb
SSDEEP

6144:FBeVV56G+JCBe35SVPilxd50wX2n9RzozaFCu6/u3W:FBgVNPwdR2oOkuku3W

Score

10^/10

gootkit 6546 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

servicemanager.icu

partnerservice.xyz

Attributes

vendor_id
6546

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1352 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1352	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 1352	1636	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 1636 wrote to memory of 1352	1636	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 1636 wrote to memory of 1352	1636	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 1636 wrote to memory of 1352	1636	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 1352 wrote to memory of 952	1352	cmd.exe	attrib.exe
PID 1352 wrote to memory of 952	1352	cmd.exe	attrib.exe
PID 1352 wrote to memory of 952	1352	cmd.exe	attrib.exe
PID 1352 wrote to memory of 952	1352	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

952 attrib.exe

pid	process
952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
"C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7076876.bat" "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
    3⤵
    - Views/modifies file attributes
    PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7076876.bat

Filesize
72B

MD5
7dc5cd6c3a9e7b5a1e51cf7e6a8a2e68

SHA1
125b2d5a82e1cedcb03f187f75794ae55e7df617

SHA256
3227f23f12b2ae5b620cbe398976c865a8f0eae1c453a2fc8d3aac1e5c12c90c

SHA512
f280b22bd64bab9bf11b489f96b8fff2196f09aca855a3e61803fe75c5aa31c7e759d5aa9c9a243f84df04685e858280695a324d2668b396b9ebdf22a0e01098

Download Submit
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/1636-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download