Analysis
-
max time kernel
281s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
17-06-2024 13:15
Static task
static1
Behavioral task
behavioral1
Sample
age requirement to pick up prescriptions 35941.js
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
age requirement to pick up prescriptions 35941.js
Resource
win10v2004-20240226-en
General
-
Target
age requirement to pick up prescriptions 35941.js
-
Size
23.2MB
-
MD5
c1072ceb23d7402dc2d6c1e7845741ed
-
SHA1
371f973b89330c78873e99aa164b57f12092be88
-
SHA256
3f68747daf0d5df410051f6e90b26d30405a13526076fe9d6bbe3cdee2029bbd
-
SHA512
52a338273d5d1b6fff7594ddecd06a40163a1416462e837543b6fc54c127cfd0389cafaa6f495859c99dccee299e928a7d1f673f34c24be60fba72833f300431
-
SSDEEP
49152:IPb08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDpPb08dPXWR4ba/JOtW:fc43mFc43mFc43mFc43mFc43ml
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exepid process 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4800 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 3304 wrote to memory of 1448 3304 wscript.EXE cscript.exe PID 3304 wrote to memory of 1448 3304 wscript.EXE cscript.exe PID 1448 wrote to memory of 4800 1448 cscript.exe powershell.exe PID 1448 wrote to memory of 4800 1448 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\age requirement to pick up prescriptions 35941.js"1⤵
-
\??\c:\windows\system32\wscript.EXEc:\windows\system32\wscript.EXE BUILDI~1.JS1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "BUILDI~1.JS"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0qmdeyc.jbp.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\Sun\BUILDI~1.JSFilesize
39.8MB
MD54291004d13dcfb3c6ac54263cb0f1053
SHA1244ba8cd2b4e85f7d8e64186edf2d73538b66364
SHA2562cc76471ff381241a659c715cee57cf28867943a2c9eb176afca6545938798e6
SHA5121e1b2e2f6add7aff4e48ba561593bd3c59ba4379b62b5d6db947aaeacc5303df0ad148e13221295c9907f86be651d2132aa2392998f8e980cae2b348e9e713cb
-
memory/4800-7-0x0000021373D10000-0x0000021373D32000-memory.dmpFilesize
136KB
-
memory/4800-34-0x0000021374000000-0x000002137403C000-memory.dmpFilesize
240KB
-
memory/4800-45-0x00000213740C0000-0x0000021374136000-memory.dmpFilesize
472KB