Analysis Overview
SHA256
3c14fbc117fc287a39d8af860552008d7d5ae5c31cb8acc69be448e04e117860
Threat Level: Known bad
The file 8-Sept-7962386133.zip was found to be: Known bad.
Malicious Activity Summary
GootLoader
Blocklisted process makes network request
Script User-Agent
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-08 12:37
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-08 12:37
Reported
2022-09-08 12:42
Platform
win10v2004-20220812-en
Max time kernel
261s
Max time network
224s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | 200.14.119.100.in-addr.arpa | udp |
| GB | 51.132.193.104:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.93.205.131:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.107.144.233:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.75.145.91:443 | www.lukeamiller.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-09-08 12:37
Reported
2022-09-08 12:42
Platform
win7-20220812-en
Max time kernel
203s
Max time network
207s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 0f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae0103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543432000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce90103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543430f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae012000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 0400000001000000100000005f7da9b3873a205c74c7aeab20190eec0f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae0103000000010000001400000092a862854cbecb94f51cd71f036c165cbf654343140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce9012000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 19000000010000001000000062ad758a7a5d9f2dff6b04551cc4efa2140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce90103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543430f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae010400000001000000100000005f7da9b3873a205c74c7aeab20190eec2000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07 | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.110.17.117:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.115.102.69:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.89.25.173:443 | www.lukeamiller.net | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2022-09-08 12:37
Reported
2022-09-08 12:42
Platform
win10v2004-20220812-en
Max time kernel
221s
Max time network
183s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\75d8102c0b4ebfd0bce76198c2292ac5bf806772426c93039427a5102b8c188c.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.197.112.100.in-addr.arpa | udp |
| US | 13.89.179.8:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.71.66.220:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.95.22.38:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.108.197.34:443 | www.lukeamiller.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-09-08 12:37
Reported
2022-09-08 12:42
Platform
win7-20220812-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f732000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 14000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc42000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 0400000001000000100000000fae4a0da6a3e2463b7f4d11d8bd49370f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc4030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f7314000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f2000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\370A8E4D61C1A1844F5700E86A519520E84A7F73\Blob = 19000000010000001000000069809c105538bdbc392da857a453d72714000000010000001400000020200b52a941afc9c8f8ed4af91f16f546191a8f030000000100000014000000370a8e4d61c1a1844f5700e86a519520e84a7f730f00000001000000200000008624090cc05d981e3ccae5af439d5888468b4b072cbf3a75071e0a1bf70cafc40400000001000000100000000fae4a0da6a3e2463b7f4d11d8bd49372000000001000000f9020000308202f5308201dda0030201020210524f112198560198b377baa7c1116839300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100a47e4105d1b4ac112ed8cd21e7937329706277e4cde8fa4426e392dd064c91b773022dd691c7826f3608bd174dcda48e926b8c0e2321b585d896e396f95beeb79ccb2c59a5f1cbef24c0aebdb8a1460a03e134772399c5eca1a5ca6bedd2cad58ea2d9eff4e0fe5ac55a26573ca7c3ac5b8c39f09ab3f9d1518a917a3f08ddc106df862cd1afae14dfd2e7722437832ff88bca57d1209bcfde4c7fd1e336ab595c33d1f5b551e5d3d9bb668d84274d7179cfb68a8732d13c2a712804b75e7128304657f9eeaf70fd61b93c56af1c87b6fa078ead43340da255442070d0d58ce4ba80f3641ae394eac156f76c9b264b12da667d5ca218faa0074870447082ebcb0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041420200b52a941afc9c8f8ed4af91f16f546191a8f300d06092a864886f70d01010b0500038201010015691fc233854166b4c7b104a8b1fd45589d88db9cca3afc61c094170616f062739765013ea1efad834bd14331ef553818ce4f213d1cd28a575e23730d73c5d5f8d5e0042d334602279103facb0b60847f2d534402cf0dee1a5a9337dc5029b3f9b059301f5d683f70899acff092c68526fef17d2137a4cf6822c9c1eea87a8ecb6cb83352a03a5f1bb14e11afabd60e3b92f6b1a82590528f4cf5a3a0abec39f16800f376dcc9cfed1f71792af9e5fbcae094f356ef703a1cee9d300a6b6b7ec32a07ed7353af088ffb5021c2cb4ba4773deef0697aeaec0c2b1b5b79d35559cb2bb631bd10001a2a3a26803a05e22e17a9ca5974d4e22db4adf5adb1005708 | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\How_to_calculate_partnership_capital_account (zoe).js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.114.149.66:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.74.222.74:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.66.96.112:443 | www.lukeamiller.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2022-09-08 12:37
Reported
2022-09-08 12:42
Platform
win10v2004-20220901-en
Max time kernel
277s
Max time network
281s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\How_to_calculate_partnership_capital_account (zoe).js"
Network
| Country | Destination | Domain | Proto |
| US | 52.182.141.63:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 8.8.8.8:53 | 159.119.125.100.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.115.198.141:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.83.222.96:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.85.94.95:443 | www.lukeamiller.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-08 12:37
Reported
2022-09-08 12:42
Platform
win7-20220812-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 0f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd550300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca1361502000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 140000000100000014000000a5d2c224689b491e1e1dc31ac9a64f4eb5b60b190300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca1361500f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd552000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 0400000001000000100000002f2dd659b0c70f5106671c18e8eab3ba0f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd550300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca136150140000000100000014000000a5d2c224689b491e1e1dc31ac9a64f4eb5b60b192000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2626A499E65E77E8C58D13A98D2A37C8CA136150\Blob = 1900000001000000100000006770cd19319f850c6ae07ff32366b836140000000100000014000000a5d2c224689b491e1e1dc31ac9a64f4eb5b60b190300000001000000140000002626a499e65e77e8c58d13a98d2a37c8ca1361500f00000001000000200000008dd72a49ae2a8e840019826f5a02dc1f05cbe6a6181b91d491161f0089aacd550400000001000000100000002f2dd659b0c70f5106671c18e8eab3ba2000000001000000f9020000308202f5308201dda0030201020210119d01c570aaff06751678cc70a76dea300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333133303030305a170d3237303832323133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b2e54b6cac5efac21854215d1cde896b5abe038bd55bb535ad8993ea8bade16e74e8cb1d4b5dd6569c529a4ba19b585071acef637df42146f8cb8bb5f1e1424aaa13b9f1965a682c3ec5e7355b78f4e3c32bf95e210bc1abc0bf191e5b912d72611be68eef1d35cf2585ab9fbb5e7d48bf4d31a614ae406f280f7db51b266d43be49c43b3b7d04923c4d873d28dca815ef53414f8fae12928edaed02381cf36112557d2935e821bbcc8be8d0f61ff76e020dd0356bffce92374e90d16b5a0f803604e683f226367b95e241b39653b3641edbca400a9d66daf5517b9859cef30c21fb45b06a8fb3b0e535cbc58259834cde18f7daee6a962925441f9ddb54104b0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414a5d2c224689b491e1e1dc31ac9a64f4eb5b60b19300d06092a864886f70d01010b05000382010100296fe1efe027720b1f1a512e6d80e1cd9cfeaf9e75e8969d83d3b0ee35aebcfef3247869a3deaa6501321aca2bce6b286e3f86f398a401d0b1352594bf38eb04eededa24054aa5e819e1941588154a0feaa9bd1e0bca93352c1c600cc11fe3f51b95167b1f634aaa1394ad589ad78f5e129a6440a74024a628ca75a059727d41d326d9bf96e8c68295e85115002e9d29472335000098d08c1f7e9e9d0cdb7b07b2c857d4d5147cd509bb12c7e7b195f423e90f60d0f2641d6cfd77ba4114eeb6ea8b40a8d98505fc91aad39df84b53ab7546a742df4e96bbd373efa5ce1d6b552f41c2806ba99c90125ddbf389573742688e4c1a2dee02224a1a38d44d9efd38 | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2426d4b21e5f3804a7bdd97d6d2eaa5d80874a32cbc8ccce846eaaf34ca033dc.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| N/A | 100.98.28.238:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| N/A | 100.90.223.234:443 | www.lovlr.com | tcp |
| US | 8.8.8.8:53 | www.lukeamiller.net | udp |
| N/A | 100.96.30.153:443 | www.lukeamiller.net | tcp |