Analysis
-
max time kernel
637s -
max time network
618s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
14-09-2022 14:40
Static task
static1
Behavioral task
behavioral1
Sample
Money_received_agreement_format (ydst).js
Resource
win10-20220901-en
General
-
Target
Money_received_agreement_format (ydst).js
-
Size
483KB
-
MD5
db72085469720929dc9bc69f664e3b14
-
SHA1
fb21b979da34cd4a17be9c5ff052e6cbc632f97e
-
SHA256
e8803d845f5fa403de1a15b73d9e7be28ccdf800f87598e28613c65a5c17940e
-
SHA512
520ac4763e1bdcca7b46466b9adfe8aac30036e7639d91b938bd1f77ffa51a17af8c3b0093e00f27f269f1b39eb4874ce955a7a7c8c2d9a150b8bbfba778d4f5
-
SSDEEP
6144:oQKkT3ula9l4khEfD3IA7Aiagmd4iLAmWy6sSF:BJhEfD3IRiagmd4iLAmWy6Z
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 13 2672 wscript.exe 21 2672 wscript.exe 23 2672 wscript.exe 25 2672 wscript.exe 26 2672 wscript.exe 28 2672 wscript.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\90854CE574D03218DF2E7B4A054AA53F6951C1D2 wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\90854CE574D03218DF2E7B4A054AA53F6951C1D2\Blob = 03000000010000001400000090854ce574d03218df2e7b4a054aa53f6951c1d214000000010000001400000051cedf541db72c57ab686148021ad3b285ec40aa0400000001000000100000004c12f651bf73f4606b458b62604c6fa80f0000000100000030000000e830e931e9b7c9b5628c67d59126cbd57dee91d90ab2b1ec109b1ecc393293e04b4d08b67380259a39f6fd2b45f48111190000000100000010000000dc4897fb78e6613f6f6a9c9bfb6f08c25c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000000a06000030820606308203eea003020102021100c82252fa9d69ed49e9b763d8338ac9b3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303932343030303030305a170d3234303932333233353935395a307a310b3009060355040613025553310b30090603550408130256413110300e060355040713074865726e646f6e3121301f060355040a13184e6574776f726b20536f6c7574696f6e73204c2e4c2e432e31293027060355040313204e6574776f726b20536f6c7574696f6e7320445620536572766572204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010082b522d9a98fd1f1ca1320b8c32eb6b85d68a4b84e481d28bd3805aa8f779de1167e118b5c301e7ad190f7e1b9d42903da48ec37dedced81f359a85a361955c5257fbd6d33122e850a9a81a8b9f53989e9895469938177de742674863e780088b29d8810cfc9e2e25429e59c36050f3412fa6ef1c5da3ad6550d79150573eddd9f4d0699570407af62d838752556c274d932da11770f898b8f0a255ae079d21c66e97361b4671c5fe0bee96e9af18805a1ee170c6b6b1064f3b7113c1653fbdbb034b9c57f0bfb9664460bf730d7d7e46a2302328c348e76d4a4b79c6b02af86f3587970b5f5c0ab0a0cbd4b4c8f2d780ef030183aeb58d4e2e59f9636d740c70203010001a382017630820172301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041451cedf541db72c57ab686148021ad3b285ec40aa300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230230603551d20041c301a300e060c2b06010401860e01020109013008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201002ea6986f79aa128b879b239db94c8769b906996ad7f8c09639b6a4e8a133f7bd2c98a881c4f0a5c0bd2ff17e81292b0895270ac8cc2d8e278676896374086ef7607107dc896bbd0ad60f8744c80840ebbb24c7582b4b65f3e4e4477a97c5bde2cc14b345670ea93672f81278d0630a0e35f1975b1de1531361b027fe716d4503c5bba6c38953f1bc8b0516013b61d326f423e28cafbdc0d96a945a8a3207dbb5bf8a22a37e50d5b8461c7055649cae4523f52e887983450c941785f3dbf2c47a8264fbe35bb4a0b99379374b011d4ef8129310fbf27fc816348a2add938965df445c57bfd39b7152d24567fd7cc84a10ed13dce113c6642f4b44e38de1daaa77823ccd01f8a400a23a9e9944fd8b9d1139214f9c556f71b32e76a3802b8e9c794c4d1bed6cf97fa27b2c530403970be67d0d494a998335d7773a7120d19b5cc348378bc18262280a1618193a82902458e29054c3ec8b8a9bbc4f3434236b6e7f93d6c6ccf7e0ef09b3c1c3db59860c66a7d760f16aa47b313fc17922535430230caa6ca134e1ffd38e312e284b09e6c84a1a3fd7a4d4be6a003e1933fb99a35693937891ff8f0b84c65083b7ec7ab2a1f619f66d1dd054ce04e48bf7a6af7c6fe34ce3ee2a3fc9a7d7c54280d95cf96e2f7b3dfd2fc9f680ce56e24b2bba5277d808ccdec9be82bdb8d1eebbdcae668679b4fd9ac8ff00bd167275e476a80b83 wscript.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C wscript.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 wscript.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
taskmgr.exepid process 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3836 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3836 taskmgr.exe Token: SeSystemProfilePrivilege 3836 taskmgr.exe Token: SeCreateGlobalPrivilege 3836 taskmgr.exe Token: 33 3836 taskmgr.exe Token: SeIncBasePriorityPrivilege 3836 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
Processes:
taskmgr.exepid process 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
Processes:
taskmgr.exepid process 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe 3836 taskmgr.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Money_received_agreement_format (ydst).js"1⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2672
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3836
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4652
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Money_received_agreement_format (ydst).js"1⤵PID:4208
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Money_received_agreement_format (ydst).js"1⤵PID:5000