Malware Analysis Report

2024-11-15 08:48

Sample ID 220908-ptplmsbgck
Target 8-Sept-7962386133.zip
SHA256 3c14fbc117fc287a39d8af860552008d7d5ae5c31cb8acc69be448e04e117860
Tags
gootloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c14fbc117fc287a39d8af860552008d7d5ae5c31cb8acc69be448e04e117860

Threat Level: Known bad

The file 8-Sept-7962386133.zip was found to be: Known bad.

Malicious Activity Summary

gootloader loader

GootLoader

Blocklisted process makes network request

Script User-Agent

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-08 12:37

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-08 12:37

Reported

2022-09-08 12:42

Platform

win10v2004-20220812-en

Max time kernel

261s

Max time network

224s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 200.14.119.100.in-addr.arpa udp
GB 51.132.193.104:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 www.macromixenlinea.com udp
N/A 100.93.205.131:443 www.macromixenlinea.com tcp
US 8.8.8.8:53 www.lovlr.com udp
N/A 100.107.144.233:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.75.145.91:443 www.lukeamiller.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-09-08 12:37

Reported

2022-09-08 12:42

Platform

win7-20220812-en

Max time kernel

203s

Max time network

207s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 0f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae0103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543432000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce90103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543430f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae012000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 0400000001000000100000005f7da9b3873a205c74c7aeab20190eec0f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae0103000000010000001400000092a862854cbecb94f51cd71f036c165cbf654343140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce9012000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 19000000010000001000000062ad758a7a5d9f2dff6b04551cc4efa2140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce90103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543430f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae010400000001000000100000005f7da9b3873a205c74c7aeab20190eec2000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.macromixenlinea.com udp
N/A 100.110.17.117:443 www.macromixenlinea.com tcp
US 8.8.8.8:53 www.lovlr.com udp
N/A 100.115.102.69:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.89.25.173:443 www.lukeamiller.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2022-09-08 12:37

Reported

2022-09-08 12:42

Platform

win10v2004-20220812-en

Max time kernel

221s

Max time network

183s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.197.112.100.in-addr.arpa udp
US 13.89.179.8:443 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 www.macromixenlinea.com udp
N/A 100.71.66.220:443 www.macromixenlinea.com tcp
US 8.8.8.8:53 www.lovlr.com udp
N/A 100.95.22.38:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.108.197.34:443 www.lukeamiller.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-09-08 12:37

Reported

2022-09-08 12:42

Platform

win7-20220812-en

Max time kernel

142s

Max time network

146s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\How_to_calculate_partnership_capital_account (zoe).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f732000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 14000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc42000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0400000001000000100000000fae4a0da6a3e2463b7f4d11d8bd49370f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f7314000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f2000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 19000000010000001000000069809c105538bdbc392da857a453d72714000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc40400000001000000100000000fae4a0da6a3e2463b7f4d11d8bd49372000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\How_to_calculate_partnership_capital_account (zoe).js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.macromixenlinea.com udp
N/A 100.114.149.66:443 www.macromixenlinea.com tcp
US 8.8.8.8:53 www.lovlr.com udp
N/A 100.74.222.74:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.66.96.112:443 www.lukeamiller.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-09-08 12:37

Reported

2022-09-08 12:42

Platform

win10v2004-20220901-en

Max time kernel

277s

Max time network

281s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\How_to_calculate_partnership_capital_account (zoe).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\How_to_calculate_partnership_capital_account (zoe).js"

Network

Country Destination Domain Proto
US 52.182.141.63:443 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 159.119.125.100.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 www.macromixenlinea.com udp
N/A 100.115.198.141:443 www.macromixenlinea.com tcp
US 8.8.8.8:53 www.lovlr.com udp
N/A 100.83.222.96:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.85.94.95:443 www.lukeamiller.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-08 12:37

Reported

2022-09-08 12:42

Platform

win7-20220812-en

Max time kernel

148s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 0f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd550300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca1361502000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 140000000100000014000000a5d2c224689b491e1e1dc31ac9a64f4eb5b60b190300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca1361500f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd552000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 0400000001000000100000002f2dd659b0c70f5106671c18e8eab3ba0f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd550300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca136150140000000100000014000000a5d2c224689b491e1e1dc31ac9a64f4eb5b60b192000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 1900000001000000100000006770cd19319f850c6ae07ff32366b836140000000100000014000000a5d2c224689b491e1e1dc31ac9a64f4eb5b60b190300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca1361500f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd550400000001000000100000002f2dd659b0c70f5106671c18e8eab3ba2000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.macromixenlinea.com udp
N/A 100.98.28.238:443 www.macromixenlinea.com tcp
US 8.8.8.8:53 www.lovlr.com udp
N/A 100.90.223.234:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.96.30.153:443 www.lukeamiller.net tcp

Files

N/A