gootloader | b19b5c27a4a4120cd9ad8a3d7560a861e07580db9a83804f1442c7e14c449dda

Analysis

max time kernel
357s
max time network
357s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 13:16

Target

INTERN~1.js
Size

43.7MB
MD5

835e5d705a9a169f4025e1349b7a187f
SHA1

0e12a2f1fba539453910095ee3667a4661718f50
SHA256

b19b5c27a4a4120cd9ad8a3d7560a861e07580db9a83804f1442c7e14c449dda
SHA512

20315db091592bbef125b124151c70d7b59c2b2c4ab26ff22fca17c26c2ddf086c1702db362152c8567aef9dc9637ea7fad7a6b14abfd7cc37ab5fab32b1ff27
SSDEEP

12288:oLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjnLjc:n

Score

10^/10

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2728 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2728 powershell.exe

pid	process
2728	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.execscript.exe

description	pid	process	target process
PID 2844 wrote to memory of 3012	2844	wscript.exe	cscript.exe
PID 2844 wrote to memory of 3012	2844	wscript.exe	cscript.exe
PID 2844 wrote to memory of 3012	2844	wscript.exe	cscript.exe
PID 3012 wrote to memory of 2728	3012	cscript.exe	powershell.exe
PID 3012 wrote to memory of 2728	3012	cscript.exe	powershell.exe
PID 3012 wrote to memory of 2728	3012	cscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\INTERN~1.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "INTERN~1.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2728-4-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2728-5-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download