Overview

overview

10

Static

static

1

illinois m...833.js

windows10-1703-x64

10

illinois m...833.js

windows10-2004-x64

10

illinois m...833.js

windows11-21h2-x64

10

Analysis

  • max time kernel
    1795s
  • max time network
    1587s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-06-2024 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    illinois mold laws 93833.js

  • Size

    6.6MB

  • MD5

    69b91189949561cf743e11c1339cae53

  • SHA1

    70a2b77219d0530e388335a9da62f44616b5bb96

  • SHA256

    309c5e86c1aea1c56c1042e2d8ed8579bf712e8b3ba92486f04c0300a6d13608

  • SHA512

    dd85a1071818c2caf46034597a2a9b07b0e1d352dd3bd0d5a8969e2143a1e527dd0e36bd5f9b514b17ef71649a5f84609f023194826e9c64a07a692b75a3c2eb

  • SSDEEP

    49152:VXytwpCQK+ZjXytwpCQK+ZjXytwpCQK+ZjXytwpCQK+ZjXytwpCQK+ZjXytwpCQV:V55555b

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\illinois mold laws 93833.js"
    1⤵
      PID:2276
    • \??\c:\windows\system32\wscript.EXE
      c:\windows\system32\wscript.EXE GRASTO~1.JS
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\System32\cscript.exe
        "C:\Windows\System32\cscript.exe" "GRASTO~1.JS"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4352

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    JavaScript

    1
    T1059.007

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5s0rcdql.mlo.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\GRASTO~1.JS
      Filesize

      41.2MB

      MD5

      5a7115598cd621d72717942276134759

      SHA1

      9f9a33c57ed4181df3a3cf3af91518c1252827e8

      SHA256

      db3fddbdcd67b2958063342ba72296cd7005f65f8d04fcb89b9b1011a83c5f02

      SHA512

      a622a3f3ca4e62c98ad76f6cd397397e9d923190743c271c0e3e57208f866ac5acfdd721f2b5b90b59218af7582e89553230e8b9d9cc6dc311285defee4297c5

      Download Submit
    • memory/4352-7-0x000002122C6D0000-0x000002122C6F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4352-34-0x000002122C630000-0x000002122C66C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4352-45-0x000002122CD10000-0x000002122CD86000-memory.dmp
      Filesize

      472KB

      Download