General

  • Target

    Goonscript.exe

  • Size

    6.9MB

  • Sample

    240509-w945lagh4y

  • MD5

    470268ecd355efae1786bef07fd81cad

  • SHA1

    4e6477d59166f627c9735615ddc5341c16134c1e

  • SHA256

    d6abd828b52cf392d821adefecf01b16c08c1f2ac97fb7075c3f20d099c5a6d2

  • SHA512

    3c3b00eaaa76917aac87063cb767a052fa49fbde54c44b3476b0b5202e6e8eae47121da6632c0f764b44cad28b929f525f233689ff8c2d86e9a4e08e4c8ffff6

  • SSDEEP

    98304:aAl0hhyGiuYdA0QauZEBzh1NXXL0gN3glS7oLxC0n8rpuil3lyesl6jXAGAbFQCc:aUBuYdVsI7pt3uND8rBVFj94FDEX

Malware Config

Targets

    • Target

      Goonscript.exe

    • Size

      6.9MB

    • MD5

      470268ecd355efae1786bef07fd81cad

    • SHA1

      4e6477d59166f627c9735615ddc5341c16134c1e

    • SHA256

      d6abd828b52cf392d821adefecf01b16c08c1f2ac97fb7075c3f20d099c5a6d2

    • SHA512

      3c3b00eaaa76917aac87063cb767a052fa49fbde54c44b3476b0b5202e6e8eae47121da6632c0f764b44cad28b929f525f233689ff8c2d86e9a4e08e4c8ffff6

    • SSDEEP

      98304:aAl0hhyGiuYdA0QauZEBzh1NXXL0gN3glS7oLxC0n8rpuil3lyesl6jXAGAbFQCc:aUBuYdVsI7pt3uND8rBVFj94FDEX

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks