Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 17:42

General

  • Target

    f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe

  • Size

    286KB

  • MD5

    2ea0561bb3cdae9cf682703de2933a43

  • SHA1

    827696cf98926dea8bfde038de228b7778d0ff56

  • SHA256

    f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e

  • SHA512

    e6fac7e489e967cb2174016e3236b0acfe60625b8286bc35dd35c0c5cd5716b284891f68033b05b211380dd135aabd93ff25e18ed8ddeb0c536e29bbc7f92cdb

  • SSDEEP

    6144:FBeVV56G+JCBe35SVPilxd50wX2n9RzozaFCu6/u3W:FBgVNPwdR2oOkuku3W

Malware Config

Extracted

Family

gootkit

Botnet

6546

C2

servicemanager.icu

partnerservice.xyz

Attributes
  • vendor_id

    6546

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
    "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240563765.bat" "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"
        3⤵
        • Views/modifies file attributes
        PID:540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240563765.bat

    Filesize

    76B

    MD5

    20b700c306f996b9811d9318d99801e9

    SHA1

    6b847779cfd2f1176ec20b6a75b1c85ca867ea4f

    SHA256

    d18c82b8b6bec1e035837083748193d4eb07a76e4c8f19684087fc812336ac9f

    SHA512

    b49383cbd3e324e1ab3b5b1aadd5daadc7d9bfc7ea5fc7176b58b5baaf7777687f43072ea510fee5f4dcd427d0e2768a92a229d3e933c91f37bcc00b1a55efb1

  • memory/4848-132-0x00000000004D0000-0x00000000004D3000-memory.dmp

    Filesize

    12KB

  • memory/4848-133-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB