gootkit | f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
Size

286KB
MD5

2ea0561bb3cdae9cf682703de2933a43
SHA1

827696cf98926dea8bfde038de228b7778d0ff56
SHA256

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e
SHA512

e6fac7e489e967cb2174016e3236b0acfe60625b8286bc35dd35c0c5cd5716b284891f68033b05b211380dd135aabd93ff25e18ed8ddeb0c536e29bbc7f92cdb
SSDEEP

6144:FBeVV56G+JCBe35SVPilxd50wX2n9RzozaFCu6/u3W:FBgVNPwdR2oOkuku3W

Score

10^/10

gootkit 6546 banker botnet trojan

Malware Config

Extracted

Family

gootkit

Botnet

6546

servicemanager.icu

partnerservice.xyz

Attributes

vendor_id
6546

Signatures

Gootkit
Gootkit is a banking trojan, where large parts are written in node.JS.
trojan banker botnet gootkit

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.execmd.exe

description	pid	process	target process
PID 4848 wrote to memory of 3320	4848	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 4848 wrote to memory of 3320	4848	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 4848 wrote to memory of 3320	4848	f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe	cmd.exe
PID 3320 wrote to memory of 540	3320	cmd.exe	attrib.exe
PID 3320 wrote to memory of 540	3320	cmd.exe	attrib.exe
PID 3320 wrote to memory of 540	3320	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

540 attrib.exe

pid	process
540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
"C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240563765.bat" "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
    3⤵
    - Views/modifies file attributes
    PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240563765.bat

Filesize
76B

MD5
20b700c306f996b9811d9318d99801e9

SHA1
6b847779cfd2f1176ec20b6a75b1c85ca867ea4f

SHA256
d18c82b8b6bec1e035837083748193d4eb07a76e4c8f19684087fc812336ac9f

SHA512
b49383cbd3e324e1ab3b5b1aadd5daadc7d9bfc7ea5fc7176b58b5baaf7777687f43072ea510fee5f4dcd427d0e2768a92a229d3e933c91f37bcc00b1a55efb1

Download Submit
memory/540-136-0x0000000000000000-mapping.dmp

Download
memory/3320-134-0x0000000000000000-mapping.dmp

Download
memory/4848-132-0x00000000004D0000-0x00000000004D3000-memory.dmp

Filesize
12KB

Download
memory/4848-133-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download