Analysis
-
max time kernel
289s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 11:53
Static task
static1
Behavioral task
behavioral1
Sample
pa collective agreement pay 38324.js
Resource
win10v2004-20240508-en
General
-
Target
pa collective agreement pay 38324.js
-
Size
7.7MB
-
MD5
b563e45f0d74ff3178b47b4e897976e7
-
SHA1
cdfc855a3c5595e40c753c537554819c402f9b3d
-
SHA256
b5a957a066a2d434bcafadbc85f5d027bd0ddfa6236755b48cfb1d7b52157201
-
SHA512
fcf7264c21ef97e1b969eb3bb0e5e482e313ecbe3ef49f83d4f5c926415818cff3b509070b1500abe36cb37ab3b830e768360e2f3d397bc79f49832dc95d3a3c
-
SSDEEP
49152:JytwpCQK+RPytwpCQK+RPytwpCQK+RPytwpCQK+RPytwpCQK+RPytwpCQK+RPytg:l
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exeflow pid process 25 4820 powershell.exe 34 4820 powershell.exe 40 4820 powershell.exe 43 4820 powershell.exe 46 4820 powershell.exe 50 4820 powershell.exe 52 4820 powershell.exe 53 4820 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exepid process 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4820 powershell.exe Token: SeIncreaseQuotaPrivilege 4820 powershell.exe Token: SeSecurityPrivilege 4820 powershell.exe Token: SeTakeOwnershipPrivilege 4820 powershell.exe Token: SeLoadDriverPrivilege 4820 powershell.exe Token: SeSystemProfilePrivilege 4820 powershell.exe Token: SeSystemtimePrivilege 4820 powershell.exe Token: SeProfSingleProcessPrivilege 4820 powershell.exe Token: SeIncBasePriorityPrivilege 4820 powershell.exe Token: SeCreatePagefilePrivilege 4820 powershell.exe Token: SeBackupPrivilege 4820 powershell.exe Token: SeRestorePrivilege 4820 powershell.exe Token: SeShutdownPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeSystemEnvironmentPrivilege 4820 powershell.exe Token: SeRemoteShutdownPrivilege 4820 powershell.exe Token: SeUndockPrivilege 4820 powershell.exe Token: SeManageVolumePrivilege 4820 powershell.exe Token: 33 4820 powershell.exe Token: 34 4820 powershell.exe Token: 35 4820 powershell.exe Token: 36 4820 powershell.exe Token: SeIncreaseQuotaPrivilege 4820 powershell.exe Token: SeSecurityPrivilege 4820 powershell.exe Token: SeTakeOwnershipPrivilege 4820 powershell.exe Token: SeLoadDriverPrivilege 4820 powershell.exe Token: SeSystemProfilePrivilege 4820 powershell.exe Token: SeSystemtimePrivilege 4820 powershell.exe Token: SeProfSingleProcessPrivilege 4820 powershell.exe Token: SeIncBasePriorityPrivilege 4820 powershell.exe Token: SeCreatePagefilePrivilege 4820 powershell.exe Token: SeBackupPrivilege 4820 powershell.exe Token: SeRestorePrivilege 4820 powershell.exe Token: SeShutdownPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeSystemEnvironmentPrivilege 4820 powershell.exe Token: SeRemoteShutdownPrivilege 4820 powershell.exe Token: SeUndockPrivilege 4820 powershell.exe Token: SeManageVolumePrivilege 4820 powershell.exe Token: 33 4820 powershell.exe Token: 34 4820 powershell.exe Token: 35 4820 powershell.exe Token: 36 4820 powershell.exe Token: SeIncreaseQuotaPrivilege 4820 powershell.exe Token: SeSecurityPrivilege 4820 powershell.exe Token: SeTakeOwnershipPrivilege 4820 powershell.exe Token: SeLoadDriverPrivilege 4820 powershell.exe Token: SeSystemProfilePrivilege 4820 powershell.exe Token: SeSystemtimePrivilege 4820 powershell.exe Token: SeProfSingleProcessPrivilege 4820 powershell.exe Token: SeIncBasePriorityPrivilege 4820 powershell.exe Token: SeCreatePagefilePrivilege 4820 powershell.exe Token: SeBackupPrivilege 4820 powershell.exe Token: SeRestorePrivilege 4820 powershell.exe Token: SeShutdownPrivilege 4820 powershell.exe Token: SeDebugPrivilege 4820 powershell.exe Token: SeSystemEnvironmentPrivilege 4820 powershell.exe Token: SeRemoteShutdownPrivilege 4820 powershell.exe Token: SeUndockPrivilege 4820 powershell.exe Token: SeManageVolumePrivilege 4820 powershell.exe Token: 33 4820 powershell.exe Token: 34 4820 powershell.exe Token: 35 4820 powershell.exe Token: 36 4820 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 1244 wrote to memory of 5056 1244 wscript.EXE cscript.exe PID 1244 wrote to memory of 5056 1244 wscript.EXE cscript.exe PID 5056 wrote to memory of 4820 5056 cscript.exe powershell.exe PID 5056 wrote to memory of 4820 5056 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 38324.js"1⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE CULTUR~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "CULTUR~1.JS"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgimgxjs.rvq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\CULTUR~1.JSFilesize
42.2MB
MD5c5aa7bac46d79bbe1c05619bdf04c78d
SHA1425c8aac95db9a3891946850476d812751ca9045
SHA256263dc51f3d90564aae0501cd5e5a13dccc2f8a107c7d3c728fb6e1b17f0b63e2
SHA512e2d5c551dbea75409ba7303b2337d822208ced0db5217fedd373c9b81cebbb8d540333006988640541ddf8186ed152383d2c370e8d9c2eaf0618a8787d770ddf
-
memory/4820-8-0x0000020B748A0000-0x0000020B748C2000-memory.dmpFilesize
136KB
-
memory/4820-13-0x0000020B74BD0000-0x0000020B74C14000-memory.dmpFilesize
272KB
-
memory/4820-14-0x0000020B74EA0000-0x0000020B74F16000-memory.dmpFilesize
472KB
-
memory/4820-15-0x0000020B750F0000-0x0000020B7511A000-memory.dmpFilesize
168KB
-
memory/4820-16-0x0000020B750F0000-0x0000020B75114000-memory.dmpFilesize
144KB