Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
are flares legal uk 1210.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
are flares legal uk 1210.js
Resource
win10v2004-20240426-en
General
-
Target
are flares legal uk 1210.js
-
Size
4.4MB
-
MD5
92845fcec6241a5f166f082b074f17ff
-
SHA1
c36a8f4a92e8f2982af6bab52c2f0dd0e92e1f72
-
SHA256
b730fce1dc9df3354e38373a37d5b3f1d1f587db85f19d7106aa7a2a392430c2
-
SHA512
70e7ad68de0da324a13e5f20068ae555ca8b589862aa8472efd6224b119d3d9fa53dae36f1e5a27c93a7b21150a44c29fae272469c652ef17fabe2584671f666
-
SSDEEP
49152:yytwpCQK+lIytwpCQK+lIytwpCQK+lIytwpCQK+lp:n
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2380 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2380 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
taskeng.exewscript.EXEcscript.exedescription pid process target process PID 2572 wrote to memory of 2512 2572 taskeng.exe wscript.EXE PID 2572 wrote to memory of 2512 2572 taskeng.exe wscript.EXE PID 2572 wrote to memory of 2512 2572 taskeng.exe wscript.EXE PID 2512 wrote to memory of 2524 2512 wscript.EXE cscript.exe PID 2512 wrote to memory of 2524 2512 wscript.EXE cscript.exe PID 2512 wrote to memory of 2524 2512 wscript.EXE cscript.exe PID 2524 wrote to memory of 2380 2524 cscript.exe powershell.exe PID 2524 wrote to memory of 2380 2524 cscript.exe powershell.exe PID 2524 wrote to memory of 2380 2524 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\are flares legal uk 1210.js"1⤵PID:1544
-
C:\Windows\system32\taskeng.exetaskeng.exe {85304A91-D74C-43E7-B311-3AE0D32D1B22} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE BUSINE~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "BUSINE~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\BUSINE~1.JSFilesize
43.2MB
MD563a99e04e435616bdc87fed55d0a3a2c
SHA187af1244405d3ed86e269f50982886d99b011c62
SHA256467641ed625f257318da1de965a6288f89bfef47cec6dddc511709cd959a5219
SHA5127fea274c200da726223ae6fabb93025c967dc850c4d3070b085f95b91654b7c97b24bdb61558ee855140c4213d9bf95699e6ce2a800bcac6e5451fd9603f8e1f
-
memory/2380-7-0x000000001B380000-0x000000001B662000-memory.dmpFilesize
2.9MB
-
memory/2380-8-0x0000000001F50000-0x0000000001F58000-memory.dmpFilesize
32KB