Analysis
-
max time kernel
148s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-04-2024 00:01
General
-
Target
traffic laws of grenada 71138.js
-
Size
28.9MB
-
MD5
5e9e894ac5a9bb53e7de4236979cf67c
-
SHA1
557ac8df67dbe9e20608500df00430de4c646b79
-
SHA256
5f2b4aaf83394cd267362da83a52eda1a14246c24af74a7321831d2f5e1758d9
-
SHA512
c60082638eacb2cccef7297077daf5837f88c3b5a2900c15a13992a4713cc11590014fcf14f1d770537a265efab98607d8b2dfe6aa2252e088a72db33a57ff8c
-
SSDEEP
49152:R7BYzjCxb3qHlp4wwpN00chD1ZHzqYzYB2Vq+8fKN3ER/9xqG6lP3qtDlpgicEvd:J
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\traffic laws of grenada 71138.js"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {79760462-8CD8-4673-AEE4-640D6C5A38D6} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE RUNTIM~1.JS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "RUNTIM~1.JS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\RUNTIM~1.JSFilesize
40.8MB
MD513ec7da9735e1f834a5b9b717dda479b
SHA14b04e5f4a38c24ce1d55067124c7d846089dc358
SHA256c52c198e54b81664a12b53a13cb0531b1612443280bf94c9bb0e1ea0ab2283b6
SHA512e9a91d890f2e9c34c01e57fb72ce8e81ac7e04afe08e2f99b765c1f6bd76d6333ed9d27642a7447cecf855a1b6a13a7fc820a080aa79a39dad74726905874522
-
memory/932-7-0x000000001B2A0000-0x000000001B582000-memory.dmpFilesize
2.9MB
-
memory/932-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmpFilesize
9.6MB
-
memory/932-10-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-9-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-11-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-12-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmpFilesize
9.6MB
-
memory/932-13-0x00000000024E0000-0x00000000024E8000-memory.dmpFilesize
32KB
-
memory/932-14-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-15-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmpFilesize
9.6MB
-
memory/932-16-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-17-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-18-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB
-
memory/932-19-0x0000000002670000-0x00000000026F0000-memory.dmpFilesize
512KB