Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 12:40
Static task
static1
Behavioral task
behavioral1
Sample
192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a.js
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a.js
Resource
win10v2004-20240426-en
General
-
Target
192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a.js
-
Size
7.7MB
-
MD5
550d9cb3338618b0d5da107bc7236e43
-
SHA1
60a54ed5ef9c84d9ae6da9de3cbed83e32e3ba64
-
SHA256
192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a
-
SHA512
7893004d6825397c0c55559ab7247b92dcb72f930727d7bb32bafa545c74c97aa7e1ad095c1e83e43cd8fdfb2b37907504e05d91478fec29e175fd28f7924769
-
SSDEEP
49152:UytwpCQK+jyytwpCQK+jyytwpCQK+jyytwpCQK+jyytwpCQK+jyytwpCQK+jyytS:S
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1772 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
taskeng.exewscript.EXEcscript.exedescription pid process target process PID 2752 wrote to memory of 2512 2752 taskeng.exe wscript.EXE PID 2752 wrote to memory of 2512 2752 taskeng.exe wscript.EXE PID 2752 wrote to memory of 2512 2752 taskeng.exe wscript.EXE PID 2512 wrote to memory of 108 2512 wscript.EXE cscript.exe PID 2512 wrote to memory of 108 2512 wscript.EXE cscript.exe PID 2512 wrote to memory of 108 2512 wscript.EXE cscript.exe PID 108 wrote to memory of 1772 108 cscript.exe powershell.exe PID 108 wrote to memory of 1772 108 cscript.exe powershell.exe PID 108 wrote to memory of 1772 108 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a.js1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {E142D640-0A06-4AEB-9DD9-135693B346E3} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE BEVERA~1.JS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "BEVERA~1.JS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Macromedia\BEVERA~1.JSFilesize
42.1MB
MD563a41828eb9b94fb19d3b28a2e214b38
SHA1462ab0767f32b91ef89879147884c40e82ce6e32
SHA256a52c7f6b490e96416d6de661aa9fe08127ee5d03f9ba0a67bc6d0149e82bb596
SHA51256d40dce884a04ab7b8f2aa35a19e77e56b9056b50275b2e5e62e75fcee2c7fcb74a334e706b197b822509b620de325ac4c229d458ff67de23d0bab3e083cf49
-
memory/1772-7-0x000000001B820000-0x000000001BB02000-memory.dmpFilesize
2.9MB
-
memory/1772-8-0x0000000001DD0000-0x0000000001DD8000-memory.dmpFilesize
32KB