Malware Analysis Report

2024-11-15 08:48

Sample ID 220907-c685laahe3
Target Bws agreement 2020 (52386).zip.7z
SHA256 40de705a10469be373a15ef6ea0a0c8d3ac6aba2e0467ecf19d46fea97c2ce87
Tags
gootloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40de705a10469be373a15ef6ea0a0c8d3ac6aba2e0467ecf19d46fea97c2ce87

Threat Level: Known bad

The file Bws agreement 2020 (52386).zip.7z was found to be: Known bad.

Malicious Activity Summary

gootloader loader

GootLoader

Blocklisted process makes network request

Script User-Agent

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-07 02:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-07 02:42

Reported

2022-09-07 03:02

Platform

win10-20220812-en

Max time kernel

374s

Max time network

870s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Bws agreement 2020 (52386).zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Bws agreement 2020 (52386).zip"

Network

Country Destination Domain Proto
JP 13.78.111.198:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-07 02:42

Reported

2022-09-07 03:02

Platform

win10-20220812-en

Max time kernel

446s

Max time network

881s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bws_agreement_2020 (cff).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Bws_agreement_2020 (cff).js"

Network

Country Destination Domain Proto
US 13.89.178.26:443 tcp
US 8.8.8.8:53 www.lovlr.com udp
DK 77.111.240.6:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
US 69.163.163.127:443 www.lukeamiller.net tcp

Files

N/A