Overview

overview

10

Static

static

1

contract s...628.js

windows11-21h2-x64

10

Resubmissions

24-06-2024 17:15

240624-vstf4atdke 10

24-06-2024 16:01

240624-tgde3a1amc 10

Analysis

  • max time kernel
    148s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-06-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    contract scope definition 24628.js

  • Size

    27.8MB

  • MD5

    b29e22609c49250b81ddaaa15a0ac0e6

  • SHA1

    73d7436f682c703ca6fa67bb496f39e1fa340912

  • SHA256

    22664cda36be447f11391069feaa915d4c79e69a502cc9a845569cc3052a70d9

  • SHA512

    9c1cfae7d364754cec67877e45169185f76dea70804f0083d32fab09e2d34cf99a90bf683e5c3f068740e90e7d717d28471a3ad17368aa3f926879baad0297b1

  • SSDEEP

    49152:pbR08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDWbR08dPXWR4ba/JOtv:ec43m0c43m0c43m0c43m0c43m0c43ml

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\contract scope definition 24628.js"
    1⤵
      PID:436
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE SPORTS~1.JS
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\cscript.exe
        "C:\Windows\System32\cscript.exe" "SPORTS~1.JS"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1tgxk4m.fjf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sun\SPORTS~1.JS
      Filesize

      40.8MB

      MD5

      6d50f3d2a69fc77b13347cceb6dae935

      SHA1

      5cc38baaab3ed39f63cdcc91e8151eaa99e12c62

      SHA256

      62c6b38f216ba44c5bfaa860ddb4bc67116211efc7879f4fda839cc3c768c129

      SHA512

      72dea15cc2d355822c2737e427528a4fbc4788129cec99e4b7998838c68f77a7c265e6cd7f74a6400d51a2b12b0d87223eb803404472af151a9a2931d638ee65

      Download Submit

    • memory/3240-11-0x0000026CE04A0000-0x0000026CE04C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3240-12-0x0000026CE08D0000-0x0000026CE0916000-memory.dmp

      Filesize

      280KB

      Download