Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
How_to_calculate_partnership_capital_account (zoe).js
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
How_to_calculate_partnership_capital_account (zoe).js
Resource
win10v2004-20220901-en
General
-
Target
How_to_calculate_partnership_capital_account (zoe).js
-
Size
483KB
-
MD5
5e54370bed87473308b7ec0935a36337
-
SHA1
fdbd250b7b64e23838cf7c14e35ce3fa6e4802af
-
SHA256
2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc
-
SHA512
b06615e26cce40ac7f84c813694cfce62407d37348b7584c0985fdd795b4b6851008341241551a0bb9f6badd84f8bdf14eb064eba487d25dada6b74f7c30bffe
-
SSDEEP
6144:AoQpXS3ulaxl4HhEfD3rgA7Viagmd4iLAmWR6TSd:AiOhEfD38Siagmd4iLAmWR66
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exeflow pid process 3 928 wscript.exe 5 928 wscript.exe 7 928 wscript.exe -
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f732000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 14000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc42000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0400000001000000100000000fae4a0da6a3e2463b7f4d11d8bd49370f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f7314000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f2000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 wscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 19000000010000001000000069809c105538bdbc392da857a453d72714000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc40400000001000000100000000fae4a0da6a3e2463b7f4d11d8bd49372000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 wscript.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)