Analysis Overview
SHA256
25fc98954bc91d726f762a0aae248ea1ebd1a801fb5f55769cd4762637242557
Threat Level: Known bad
The file 26e8076065079eb76b202b6ae04208a0869f3f21bcdcdc4aec7c42487d845179.zip was found to be: Known bad.
Malicious Activity Summary
GootLoader
Blocklisted process makes network request
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-14 14:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-14 14:40
Reported
2022-09-14 14:52
Platform
win10-20220901-en
Max time kernel
637s
Max time network
618s
Command Line
Signatures
GootLoader
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\90854CE574D03218DF2E7B4A054AA53F6951C1D2 | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\90854CE574D03218DF2E7B4A054AA53F6951C1D2\Blob = 03000000010000001400000090854ce574d03218df2e7b4a054aa53f6951c1d214000000010000001400000051cedf541db72c57ab686148021ad3b285ec40aa0400000001000000100000004c12f651bf73f4606b458b62604c6fa80f0000000100000030000000e830e931e9b7c9b5628c67d59126cbd57dee91d90ab2b1ec109b1ecc393293e04b4d08b67380259a39f6fd2b45f48111190000000100000010000000dc4897fb78e6613f6f6a9c9bfb6f08c25c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000000a06000030820606308203eea003020102021100c82252fa9d69ed49e9b763d8338ac9b3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303932343030303030305a170d3234303932333233353935395a307a310b3009060355040613025553310b30090603550408130256413110300e060355040713074865726e646f6e3121301f060355040a13184e6574776f726b20536f6c7574696f6e73204c2e4c2e432e31293027060355040313204e6574776f726b20536f6c7574696f6e7320445620536572766572204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010082b522d9a98fd1f1ca1320b8c32eb6b85d68a4b84e481d28bd3805aa8f779de1167e118b5c301e7ad190f7e1b9d42903da48ec37dedced81f359a85a361955c5257fbd6d33122e850a9a81a8b9f53989e9895469938177de742674863e780088b29d8810cfc9e2e25429e59c36050f3412fa6ef1c5da3ad6550d79150573eddd9f4d0699570407af62d838752556c274d932da11770f898b8f0a255ae079d21c66e97361b4671c5fe0bee96e9af18805a1ee170c6b6b1064f3b7113c1653fbdbb034b9c57f0bfb9664460bf730d7d7e46a2302328c348e76d4a4b79c6b02af86f3587970b5f5c0ab0a0cbd4b4c8f2d780ef030183aeb58d4e2e59f9636d740c70203010001a382017630820172301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e0416041451cedf541db72c57ab686148021ad3b285ec40aa300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230230603551d20041c301a300e060c2b06010401860e01020109013008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201002ea6986f79aa128b879b239db94c8769b906996ad7f8c09639b6a4e8a133f7bd2c98a881c4f0a5c0bd2ff17e81292b0895270ac8cc2d8e278676896374086ef7607107dc896bbd0ad60f8744c80840ebbb24c7582b4b65f3e4e4477a97c5bde2cc14b345670ea93672f81278d0630a0e35f1975b1de1531361b027fe716d4503c5bba6c38953f1bc8b0516013b61d326f423e28cafbdc0d96a945a8a3207dbb5bf8a22a37e50d5b8461c7055649cae4523f52e887983450c941785f3dbf2c47a8264fbe35bb4a0b99379374b011d4ef8129310fbf27fc816348a2add938965df445c57bfd39b7152d24567fd7cc84a10ed13dce113c6642f4b44e38de1daaa77823ccd01f8a400a23a9e9944fd8b9d1139214f9c556f71b32e76a3802b8e9c794c4d1bed6cf97fa27b2c530403970be67d0d494a998335d7773a7120d19b5cc348378bc18262280a1618193a82902458e29054c3ec8b8a9bbc4f3434236b6e7f93d6c6ccf7e0ef09b3c1c3db59860c66a7d760f16aa47b313fc17922535430230caa6ca134e1ffd38e312e284b09e6c84a1a3fd7a4d4be6a003e1933fb99a35693937891ff8f0b84c65083b7ec7ab2a1f619f66d1dd054ce04e48bf7a6af7c6fe34ce3ee2a3fc9a7d7c54280d95cf96e2f7b3dfd2fc9f680ce56e24b2bba5277d808ccdec9be82bdb8d1eebbdcae668679b4fd9ac8ff00bd167275e476a80b83 | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Windows\system32\wscript.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Windows\system32\wscript.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Money_received_agreement_format (ydst).js"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Money_received_agreement_format (ydst).js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Money_received_agreement_format (ydst).js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ls1969.fr | udp |
| FR | 87.98.150.35:443 | www.ls1969.fr | tcp |
| US | 8.8.8.8:53 | www.macromixenlinea.com | udp |
| GT | 216.230.140.188:443 | www.macromixenlinea.com | tcp |
| US | 8.8.8.8:53 | crt.netsolssl.com | udp |
| GB | 91.199.212.52:80 | crt.netsolssl.com | tcp |
| US | 8.8.8.8:53 | www.lovlr.com | udp |
| DK | 77.111.240.6:443 | www.lovlr.com | tcp |