gootloader | c8f47dbfc46c2878f96ece788de84672b1d2b230721c3cd577c5b39071cb1070

Resubmissions

12/02/2024, 14:31

240212-rvse2aga7z 10

12/02/2024, 14:15

240212-rkhsvahd58 10

Analysis

max time kernel
399s
max time network
366s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 14:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

pa collective agreement pay 24448.js
Size

3.6MB
MD5

6314e5e6e94aa922e252e8adc30f551b
SHA1

a81fc5389d61fc35daa35c15d9ec3c72a9d11917
SHA256

c8f47dbfc46c2878f96ece788de84672b1d2b230721c3cd577c5b39071cb1070
SHA512

2aeaefa9ea6b2a95f6dbb9d4a05e028c1ad031a07349088e05617f18b14ac7254c89ae41aa6edea4f27b279f451506ae49cc10170c75744442613df3654b0790
SSDEEP

49152:Nx3ii6gobYQS3QpOVtFBgiAEn0i2pdl8rgx0pPqaeqNn0i2pdliWtAXiAwyfMtAX:NQpwtFBgY

Score

10^/10

gootloader loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3052	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2936	2976	taskeng.exe	31
PID 2976 wrote to memory of 2936	2976	taskeng.exe	31
PID 2976 wrote to memory of 2936	2976	taskeng.exe	31
PID 2936 wrote to memory of 2860	2936	wscript.EXE	32
PID 2936 wrote to memory of 2860	2936	wscript.EXE	32
PID 2936 wrote to memory of 2860	2936	wscript.EXE	32
PID 2860 wrote to memory of 3052	2860	cscript.exe	34
PID 2860 wrote to memory of 3052	2860	cscript.exe	34
PID 2860 wrote to memory of 3052	2860	cscript.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 24448.js"
1⤵
PID:2208

C:\Windows\system32\taskeng.exe
taskeng.exe {DC29C6E5-8B21-49D3-A948-6025163DA455} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE PERSUA~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "PERSUA~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\PERSUA~1.JS

Filesize
11.1MB

MD5
edbe4af1b956c3d759259a2fbf943d08

SHA1
47b9e2ef8b3a3bd3341912c7c0e695f3bd6d0fe0

SHA256
f30469383ae8b30c2668002a40e9ca7e43eefa75516184f1997f11021f1b63bd

SHA512
f1031e2c44c59aa02a60c5d0233e1fa02ef7b7297fa5f19e3e9411dd6dd87962621c1c5cd821d253c8f2c194d16f70f4ba1882ecd1a6f30d5546fa3c8513d211

Download Submit
memory/3052-7-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/3052-8-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3052-9-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-10-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3052-11-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-12-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3052-13-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3052-14-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3052-15-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/3052-16-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3052-17-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3052-18-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download