gootloader | 192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a.js
Size

7.7MB
MD5

550d9cb3338618b0d5da107bc7236e43
SHA1

60a54ed5ef9c84d9ae6da9de3cbed83e32e3ba64
SHA256

192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a
SHA512

7893004d6825397c0c55559ab7247b92dcb72f930727d7bb32bafa545c74c97aa7e1ad095c1e83e43cd8fdfb2b37907504e05d91478fec29e175fd28f7924769
SSDEEP

49152:UytwpCQK+jyytwpCQK+jyytwpCQK+jyytwpCQK+jyytwpCQK+jyytwpCQK+jyytS:S

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1772 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1772 powershell.exe

pid	process
1772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

taskeng.exewscript.EXEcscript.exe

description	pid	process	target process
PID 2752 wrote to memory of 2512	2752	taskeng.exe	wscript.EXE
PID 2752 wrote to memory of 2512	2752	taskeng.exe	wscript.EXE
PID 2752 wrote to memory of 2512	2752	taskeng.exe	wscript.EXE
PID 2512 wrote to memory of 108	2512	wscript.EXE	cscript.exe
PID 2512 wrote to memory of 108	2512	wscript.EXE	cscript.exe
PID 2512 wrote to memory of 108	2512	wscript.EXE	cscript.exe
PID 108 wrote to memory of 1772	108	cscript.exe	powershell.exe
PID 108 wrote to memory of 1772	108	cscript.exe	powershell.exe
PID 108 wrote to memory of 1772	108	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\192d88d6f6987695de2c5813bb72a33258e06962b360668f6bbd37573268627a.js
1⤵
PID:3020

C:\Windows\system32\taskeng.exe
taskeng.exe {E142D640-0A06-4AEB-9DD9-135693B346E3} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE BEVERA~1.JS
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "BEVERA~1.JS"
3⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\BEVERA~1.JS
Filesize
42.1MB

MD5
63a41828eb9b94fb19d3b28a2e214b38

SHA1
462ab0767f32b91ef89879147884c40e82ce6e32

SHA256
a52c7f6b490e96416d6de661aa9fe08127ee5d03f9ba0a67bc6d0149e82bb596

SHA512
56d40dce884a04ab7b8f2aa35a19e77e56b9056b50275b2e5e62e75fcee2c7fcb74a334e706b197b822509b620de325ac4c229d458ff67de23d0bab3e083cf49

Download Submit
memory/1772-7-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/1772-8-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download