gootloader | ce02817c1a10ba1f49a139db19394fe67b5a1b2485c866d92cc26ef361e0a9d6

General

Target

sumsj.js
Size

12.9MB
MD5

413da71d07370c4579943cc5dfb074e3
SHA1

cdb7f3c1d61c9c61b61a835a17f4b79402199e05
SHA256

ce02817c1a10ba1f49a139db19394fe67b5a1b2485c866d92cc26ef361e0a9d6
SHA512

afbf8142ced6f01a05b4eb34a5845e73a8be356555ab686e4fc3291a6b93838f989ac25e2009ffe08bb46ae36a05ab0231d95f64bb741c7d6438483f2778fe58
SSDEEP

49152:C7BfzjCxbqqHlp4rHfN0MNhzoNszsYzYBgE5+85R33uK/zp+GiR93quKLagucEP6:H

Score

10^/10

gootloader loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
74	2092	powershell.exe
90	2092	powershell.exe
92	2092	powershell.exe
94	2092	powershell.exe
97	2092	powershell.exe
100	2092	powershell.exe
103	2092	powershell.exe
105	2092	powershell.exe
106	2092	powershell.exe
107	2092	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation wscript.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	wscript.EXE

Modifies registry class 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exe

pid	process
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2092	powershell.exe
Token: SeSecurityPrivilege	2092	powershell.exe
Token: SeTakeOwnershipPrivilege	2092	powershell.exe
Token: SeLoadDriverPrivilege	2092	powershell.exe
Token: SeSystemProfilePrivilege	2092	powershell.exe
Token: SeSystemtimePrivilege	2092	powershell.exe
Token: SeProfSingleProcessPrivilege	2092	powershell.exe
Token: SeIncBasePriorityPrivilege	2092	powershell.exe
Token: SeCreatePagefilePrivilege	2092	powershell.exe
Token: SeBackupPrivilege	2092	powershell.exe
Token: SeRestorePrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeSystemEnvironmentPrivilege	2092	powershell.exe
Token: SeRemoteShutdownPrivilege	2092	powershell.exe
Token: SeUndockPrivilege	2092	powershell.exe
Token: SeManageVolumePrivilege	2092	powershell.exe
Token: 33	2092	powershell.exe
Token: 34	2092	powershell.exe
Token: 35	2092	powershell.exe
Token: 36	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2092	powershell.exe
Token: SeSecurityPrivilege	2092	powershell.exe
Token: SeTakeOwnershipPrivilege	2092	powershell.exe
Token: SeLoadDriverPrivilege	2092	powershell.exe
Token: SeSystemProfilePrivilege	2092	powershell.exe
Token: SeSystemtimePrivilege	2092	powershell.exe
Token: SeProfSingleProcessPrivilege	2092	powershell.exe
Token: SeIncBasePriorityPrivilege	2092	powershell.exe
Token: SeCreatePagefilePrivilege	2092	powershell.exe
Token: SeBackupPrivilege	2092	powershell.exe
Token: SeRestorePrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeSystemEnvironmentPrivilege	2092	powershell.exe
Token: SeRemoteShutdownPrivilege	2092	powershell.exe
Token: SeUndockPrivilege	2092	powershell.exe
Token: SeManageVolumePrivilege	2092	powershell.exe
Token: 33	2092	powershell.exe
Token: 34	2092	powershell.exe
Token: 35	2092	powershell.exe
Token: 36	2092	powershell.exe
Token: SeIncreaseQuotaPrivilege	2092	powershell.exe
Token: SeSecurityPrivilege	2092	powershell.exe
Token: SeTakeOwnershipPrivilege	2092	powershell.exe
Token: SeLoadDriverPrivilege	2092	powershell.exe
Token: SeSystemProfilePrivilege	2092	powershell.exe
Token: SeSystemtimePrivilege	2092	powershell.exe
Token: SeProfSingleProcessPrivilege	2092	powershell.exe
Token: SeIncBasePriorityPrivilege	2092	powershell.exe
Token: SeCreatePagefilePrivilege	2092	powershell.exe
Token: SeBackupPrivilege	2092	powershell.exe
Token: SeRestorePrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeSystemEnvironmentPrivilege	2092	powershell.exe
Token: SeRemoteShutdownPrivilege	2092	powershell.exe
Token: SeUndockPrivilege	2092	powershell.exe
Token: SeManageVolumePrivilege	2092	powershell.exe
Token: 33	2092	powershell.exe
Token: 34	2092	powershell.exe
Token: 35	2092	powershell.exe
Token: 36	2092	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	process	target process
PID 3432 wrote to memory of 4788	3432	wscript.EXE	cscript.exe
PID 3432 wrote to memory of 4788	3432	wscript.EXE	cscript.exe
PID 4788 wrote to memory of 2092	4788	cscript.exe	powershell.exe
PID 4788 wrote to memory of 2092	4788	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sumsj.js
1⤵
PID:4472

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE TECHNI~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "TECHNI~1.JS"
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pg0xmayf.hnh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TECHNI~1.JS
Filesize
40.8MB

MD5
83d7a72932c113d8e1dfae1189b91a1e

SHA1
16aa3470e88284aa470c5385382b212d3d2241ea

SHA256
1cadd1359d386dea78dba195ae4e5c37875fc1fa1f37719ad3b5afe2a9a1a9e1

SHA512
1f3af1b65715d93a23660f6b4b3baf4792bfc842c1091910504775b8291d20f681ed80106325dc410a45e26101cb036f3435e843dcd703b30ae33aa190a5a8ba

Download Submit
memory/2092-18-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-19-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-4-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-15-0x000001CEEDF10000-0x000001CEEDF54000-memory.dmp

Filesize
272KB

Download
memory/2092-16-0x000001CEEE370000-0x000001CEEE3E6000-memory.dmp

Filesize
472KB

Download
memory/2092-17-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-3-0x00007FFE1A340000-0x00007FFE1AE01000-memory.dmp

Filesize
10.8MB

Download
memory/2092-5-0x000001CED5870000-0x000001CED5892000-memory.dmp

Filesize
136KB

Download
memory/2092-21-0x000001CEEE580000-0x000001CEEE5A4000-memory.dmp

Filesize
144KB

Download
memory/2092-20-0x000001CEEE580000-0x000001CEEE5AA000-memory.dmp

Filesize
168KB

Download
memory/2092-22-0x00007FFE1A340000-0x00007FFE1AE01000-memory.dmp

Filesize
10.8MB

Download
memory/2092-24-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-25-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-26-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-27-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download
memory/2092-28-0x000001CEEDF70000-0x000001CEEDF80000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads