Analysis
-
max time kernel
359s -
max time network
363s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
BUSINE~1.js
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BUSINE~1.js
Resource
win10v2004-20240426-en
General
-
Target
BUSINE~1.js
-
Size
43.2MB
-
MD5
63a99e04e435616bdc87fed55d0a3a2c
-
SHA1
87af1244405d3ed86e269f50982886d99b011c62
-
SHA256
467641ed625f257318da1de965a6288f89bfef47cec6dddc511709cd959a5219
-
SHA512
7fea274c200da726223ae6fabb93025c967dc850c4d3070b085f95b91654b7c97b24bdb61558ee855140c4213d9bf95699e6ce2a800bcac6e5451fd9603f8e1f
-
SSDEEP
49152:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxv:l
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2540 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.execscript.exedescription pid process target process PID 2892 wrote to memory of 2584 2892 wscript.exe cscript.exe PID 2892 wrote to memory of 2584 2892 wscript.exe cscript.exe PID 2892 wrote to memory of 2584 2892 wscript.exe cscript.exe PID 2584 wrote to memory of 2540 2584 cscript.exe powershell.exe PID 2584 wrote to memory of 2540 2584 cscript.exe powershell.exe PID 2584 wrote to memory of 2540 2584 cscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\BUSINE~1.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "BUSINE~1.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken