gootloader | 893e44e4ad2e74f043af938b237ed08526a11a7c5eff8a4f84667543947f7292

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flat possession agreement 10384.js
Size

8.8MB
MD5

4ee5d33f99e169cc4166c122764a1693
SHA1

38a08a96fe62c42340be1ff5f9a5ca0548e9bf47
SHA256

893e44e4ad2e74f043af938b237ed08526a11a7c5eff8a4f84667543947f7292
SHA512

ab1c0015c320bfdf885d792e0efb30508f03e0ff547859112b5a3ce2a051bf580cf3d51f62f4c5730d17e7a27b130dfc2384dd5874b7cab56566c3a29471ddc0
SSDEEP

49152:/ytwpCQK+O5ytwpCQK+O5ytwpCQK+O5ytwpCQK+O5ytwpCQK+O5ytwpCQK+O5ytG:f

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader

Blocklisted process makes network request 4 IoCs

flow	pid	Process
51	5096	powershell.exe
69	5096	powershell.exe
72	5096	powershell.exe
77	5096	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	wscript.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	5096	powershell.exe
Token: SeSecurityPrivilege	5096	powershell.exe
Token: SeTakeOwnershipPrivilege	5096	powershell.exe
Token: SeLoadDriverPrivilege	5096	powershell.exe
Token: SeSystemProfilePrivilege	5096	powershell.exe
Token: SeSystemtimePrivilege	5096	powershell.exe
Token: SeProfSingleProcessPrivilege	5096	powershell.exe
Token: SeIncBasePriorityPrivilege	5096	powershell.exe
Token: SeCreatePagefilePrivilege	5096	powershell.exe
Token: SeBackupPrivilege	5096	powershell.exe
Token: SeRestorePrivilege	5096	powershell.exe
Token: SeShutdownPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeSystemEnvironmentPrivilege	5096	powershell.exe
Token: SeRemoteShutdownPrivilege	5096	powershell.exe
Token: SeUndockPrivilege	5096	powershell.exe
Token: SeManageVolumePrivilege	5096	powershell.exe
Token: 33	5096	powershell.exe
Token: 34	5096	powershell.exe
Token: 35	5096	powershell.exe
Token: 36	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	5096	powershell.exe
Token: SeSecurityPrivilege	5096	powershell.exe
Token: SeTakeOwnershipPrivilege	5096	powershell.exe
Token: SeLoadDriverPrivilege	5096	powershell.exe
Token: SeSystemProfilePrivilege	5096	powershell.exe
Token: SeSystemtimePrivilege	5096	powershell.exe
Token: SeProfSingleProcessPrivilege	5096	powershell.exe
Token: SeIncBasePriorityPrivilege	5096	powershell.exe
Token: SeCreatePagefilePrivilege	5096	powershell.exe
Token: SeBackupPrivilege	5096	powershell.exe
Token: SeRestorePrivilege	5096	powershell.exe
Token: SeShutdownPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeSystemEnvironmentPrivilege	5096	powershell.exe
Token: SeRemoteShutdownPrivilege	5096	powershell.exe
Token: SeUndockPrivilege	5096	powershell.exe
Token: SeManageVolumePrivilege	5096	powershell.exe
Token: 33	5096	powershell.exe
Token: 34	5096	powershell.exe
Token: 35	5096	powershell.exe
Token: 36	5096	powershell.exe
Token: SeIncreaseQuotaPrivilege	5096	powershell.exe
Token: SeSecurityPrivilege	5096	powershell.exe
Token: SeTakeOwnershipPrivilege	5096	powershell.exe
Token: SeLoadDriverPrivilege	5096	powershell.exe
Token: SeSystemProfilePrivilege	5096	powershell.exe
Token: SeSystemtimePrivilege	5096	powershell.exe
Token: SeProfSingleProcessPrivilege	5096	powershell.exe
Token: SeIncBasePriorityPrivilege	5096	powershell.exe
Token: SeCreatePagefilePrivilege	5096	powershell.exe
Token: SeBackupPrivilege	5096	powershell.exe
Token: SeRestorePrivilege	5096	powershell.exe
Token: SeShutdownPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeSystemEnvironmentPrivilege	5096	powershell.exe
Token: SeRemoteShutdownPrivilege	5096	powershell.exe
Token: SeUndockPrivilege	5096	powershell.exe
Token: SeManageVolumePrivilege	5096	powershell.exe
Token: 33	5096	powershell.exe
Token: 34	5096	powershell.exe
Token: 35	5096	powershell.exe
Token: 36	5096	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4348	3916	wscript.EXE	99
PID 3916 wrote to memory of 4348	3916	wscript.EXE	99
PID 4348 wrote to memory of 5096	4348	cscript.exe	101
PID 4348 wrote to memory of 5096	4348	cscript.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\flat possession agreement 10384.js"
1⤵
PID:64

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE MARINE~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "MARINE~1.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1dqxho2y.xm0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\MARINE~1.JS

Filesize
42.2MB

MD5
f01052554604d7b5f3db9fa0ee9f040a

SHA1
5e0dc8ab9a91ef799fcc51af31c0767e8ef25d3e

SHA256
faf45dfb63974b246f75cfb01575f495f770027963d13a3ebfdc3f180745088d

SHA512
dffd7b9472dec535c64f2f4c2d3ece7bb0a8104e82a688dca97dcc1d675a7acbfdf147555924fd58add8235ec11293d1795815363c853e54924fbef948a15cf7

Download Submit
memory/5096-6-0x000001EAF8100000-0x000001EAF8122000-memory.dmp

Filesize
136KB

Download
memory/5096-13-0x000001EAF8630000-0x000001EAF8674000-memory.dmp

Filesize
272KB

Download
memory/5096-14-0x000001EAF8680000-0x000001EAF86F6000-memory.dmp

Filesize
472KB

Download
memory/5096-15-0x000001EAF89B0000-0x000001EAF89DA000-memory.dmp

Filesize
168KB

Download
memory/5096-16-0x000001EAF89B0000-0x000001EAF89D4000-memory.dmp

Filesize
144KB

Download