Analysis Overview
SHA256
5d17a080294b9ccfb21bccce5b95aee10adabd0467ce54d911b75897945c666f
Threat Level: Known bad
The file Vancouver_police_union_collective_agreement (gsc).js was found to be: Known bad.
Malicious Activity Summary
GootLoader
Blocklisted process makes network request
Script User-Agent
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-15 14:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-15 14:15
Reported
2022-08-15 14:21
Platform
win7-20220812-en
Max time kernel
184s
Max time network
189s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 1400000001000000140000005f901a3045dbc6af355023ce73d182e31a67091a030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c10f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff52000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 0400000001000000100000001c52d9da4efd4336ab592ff4fc0438200f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff5030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c11400000001000000140000005f901a3045dbc6af355023ce73d182e31a67091a2000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 19000000010000001000000065a3b0a896897499ed82469371da4d2c1400000001000000140000005f901a3045dbc6af355023ce73d182e31a67091a030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c10f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff50400000001000000100000001c52d9da4efd4336ab592ff4fc0438202000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 0f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff5030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c12000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Vancouver_police_union_collective_agreement (gsc).js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.100.25.226:443 | www.lukeamiller.net | tcp |
| US | 8.8.8.8:53 | www.luckies.cc | udp |
| N/A | 100.124.142.250:443 | www.luckies.cc | tcp |
| US | 8.8.8.8:53 | www.ludovicmarque.fr | udp |
| N/A | 100.82.243.193:443 | www.ludovicmarque.fr | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-15 14:15
Reported
2022-08-15 14:21
Platform
win10v2004-20220812-en
Max time kernel
174s
Max time network
178s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Vancouver_police_union_collective_agreement (gsc).js"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.97.161.106:443 | www.lukeamiller.net | tcp |
| US | 8.8.8.8:53 | www.luckies.cc | udp |
| N/A | 100.89.181.116:443 | www.luckies.cc | tcp |
| US | 8.8.8.8:53 | www.ludovicmarque.fr | udp |
| N/A | 100.72.6.68:443 | www.ludovicmarque.fr | tcp |