gootloader | 8964cd61002dc41349134f9261a035d97ac7b9915952a7e8a687a0b111fa5f91

Analysis

max time kernel
281s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-06-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

age requirement to pick up prescriptions 35941.js
Size

23.2MB
MD5

c1072ceb23d7402dc2d6c1e7845741ed
SHA1

371f973b89330c78873e99aa164b57f12092be88
SHA256

3f68747daf0d5df410051f6e90b26d30405a13526076fe9d6bbe3cdee2029bbd
SHA512

52a338273d5d1b6fff7594ddecd06a40163a1416462e837543b6fc54c127cfd0389cafaa6f495859c99dccee299e928a7d1f673f34c24be60fba72833f300431
SSDEEP

49152:IPb08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDpPb08dPXWR4ba/JOtW:fc43mFc43mFc43mFc43mFc43ml

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exe

pid	process
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4800 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4800	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	process	target process
PID 3304 wrote to memory of 1448	3304	wscript.EXE	cscript.exe
PID 3304 wrote to memory of 1448	3304	wscript.EXE	cscript.exe
PID 1448 wrote to memory of 4800	1448	cscript.exe	powershell.exe
PID 1448 wrote to memory of 4800	1448	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\age requirement to pick up prescriptions 35941.js"
1⤵
PID:168

\??\c:\windows\system32\wscript.EXE
c:\windows\system32\wscript.EXE BUILDI~1.JS
1⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "BUILDI~1.JS"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0qmdeyc.jbp.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\BUILDI~1.JS
Filesize
39.8MB

MD5
4291004d13dcfb3c6ac54263cb0f1053

SHA1
244ba8cd2b4e85f7d8e64186edf2d73538b66364

SHA256
2cc76471ff381241a659c715cee57cf28867943a2c9eb176afca6545938798e6

SHA512
1e1b2e2f6add7aff4e48ba561593bd3c59ba4379b62b5d6db947aaeacc5303df0ad148e13221295c9907f86be651d2132aa2392998f8e980cae2b348e9e713cb

Download Submit
memory/4800-7-0x0000021373D10000-0x0000021373D32000-memory.dmp

Filesize
136KB

Download
memory/4800-34-0x0000021374000000-0x000002137403C000-memory.dmp

Filesize
240KB

Download
memory/4800-45-0x00000213740C0000-0x0000021374136000-memory.dmp

Filesize
472KB

Download