Malware Analysis Report

2024-11-30 20:56

Sample ID 220811-q48myafhhm
Target 11-Aug-7879906125.zip
SHA256 1b9848aaef114b13d9248f0f476466342967cc87e52c4f96fdaeb5566d1b6f30
Tags
gootloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b9848aaef114b13d9248f0f476466342967cc87e52c4f96fdaeb5566d1b6f30

Threat Level: Known bad

The file 11-Aug-7879906125.zip was found to be: Known bad.

Malicious Activity Summary

gootloader loader

GootLoader

Blocklisted process makes network request

Program crash

Script User-Agent

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-08-11 13:50

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-08-11 13:50

Reported

2022-08-11 13:55

Platform

win10v2004-20220721-en

Max time kernel

199s

Max time network

204s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cdbf36ebbb9b7246831efa07263eed70b83e8d2c3374b4966474a9a70a3f43a3.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cdbf36ebbb9b7246831efa07263eed70b83e8d2c3374b4966474a9a70a3f43a3.js

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp
US 8.8.8.8:53 189.133.65.100.in-addr.arpa udp
IE 20.50.80.209:443 tcp
FR 2.18.109.224:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 www.ludovicmarque.fr udp
N/A 100.81.31.7:443 www.ludovicmarque.fr tcp
US 8.8.8.8:53 www.lucianofranz.it udp
N/A 100.95.254.171:443 www.lucianofranz.it tcp
US 8.8.8.8:53 www.leichtathletik-igersheim.de udp
N/A 100.69.102.222:443 www.leichtathletik-igersheim.de tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-11 13:50

Reported

2022-08-11 13:55

Platform

win10v2004-20220721-en

Max time kernel

250s

Max time network

259s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Freddie_mac_private_road_maintenance_agreement (gqj).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Freddie_mac_private_road_maintenance_agreement (gqj).js"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 484 -p 4424 -ip 4424

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4424 -s 2476

Network

Country Destination Domain Proto
US 8.8.8.8:53 167.85.102.100.in-addr.arpa udp
AU 104.46.162.226:443 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 www.luftbild-chemnitz.de udp
N/A 100.120.89.24:443 www.luftbild-chemnitz.de tcp
US 8.8.8.8:53 www.ludovicmarque.fr udp
N/A 100.86.46.94:443 www.ludovicmarque.fr tcp
US 8.8.8.8:53 www.lucianofranz.it udp
N/A 100.117.136.87:443 www.lucianofranz.it tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-11 13:50

Reported

2022-08-11 13:55

Platform

win10v2004-20220721-en

Max time kernel

210s

Max time network

214s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\c56f28cfa52beba254f1063b7354ab24a2122912721734a5f4ac16ce16e236c7.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\c56f28cfa52beba254f1063b7354ab24a2122912721734a5f4ac16ce16e236c7.js

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 27.178.123.100.in-addr.arpa udp
NL 13.69.116.104:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 www.ludovicmarque.fr udp
N/A 100.95.83.177:443 www.ludovicmarque.fr tcp
US 8.8.8.8:53 www.lucianofranz.it udp
N/A 100.84.222.92:443 www.lucianofranz.it tcp
US 8.8.8.8:53 www.leichtathletik-igersheim.de udp
N/A 100.88.197.67:443 www.leichtathletik-igersheim.de tcp

Files

N/A