Analysis Overview
SHA256
40de705a10469be373a15ef6ea0a0c8d3ac6aba2e0467ecf19d46fea97c2ce87
Threat Level: Known bad
The file Bws agreement 2020 (52386).zip.7z was found to be: Known bad.
Malicious Activity Summary
GootLoader
Blocklisted process makes network request
Script User-Agent
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-09-07 02:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-07 02:42
Reported
2022-09-07 03:02
Platform
win10-20220812-en
Max time kernel
374s
Max time network
870s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Bws agreement 2020 (52386).zip"
Network
| Country | Destination | Domain | Proto |
| JP | 13.78.111.198:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-07 02:42
Reported
2022-09-07 03:02
Platform
win10-20220812-en
Max time kernel
446s
Max time network
881s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bws_agreement_2020 (cff).js"
Network
| Country | Destination | Domain | Proto |
| US | 13.89.178.26:443 | tcp | |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| DK | 77.111.240.6:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| US | 69.163.163.127:443 | www.lukeamiller.net | tcp |