Overview

overview

10

Static

static

1

9fdfa51e09...548.js

windows7-x64

10

9fdfa51e09...548.js

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fdfa51e09526526342cebfb831fe3fbb0095aa779b9381bd50cf3509799b548.js

  • Size

    20.5MB

  • MD5

    3da403ae5012e4b10c6fc06db02c270d

  • SHA1

    0349a0f045a960e9a5306501962b7c5175058384

  • SHA256

    9fdfa51e09526526342cebfb831fe3fbb0095aa779b9381bd50cf3509799b548

  • SHA512

    f91f16e0b07d2dbee67209216f6fbd741eb9d52b1cf8c3e7a7f09a78bc5914577d4f7b6a4a08dea7753c000841ec24eba74762b8cf2de013b5d1195ff3588921

  • SSDEEP

    49152:YYRxr8uC0NjaCX2RgYRxr8uC0NjaCX2RgYRxr8uC0NjaCX2Rf:sqqF

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\9fdfa51e09526526342cebfb831fe3fbb0095aa779b9381bd50cf3509799b548.js
    1⤵
      PID:1640
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {148C0CCD-C206-4B48-A696-CB999D7FCFB0} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE JAVAWE~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "JAVAWE~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\JAVAWE~1.JS
      Filesize

      44.0MB

      MD5

      7c5c385206019cdb1b41364a4b8a7e87

      SHA1

      b7e9038dad45fd605a18d873b74dde6af530606a

      SHA256

      d3a4e6d6a8551ef1a1529e83a5f199a5d7f20351c70784e48d2297eefb5a9a92

      SHA512

      3233c00c43b799ad2f5b64ea440ee254b42da2c16bc04fc2a58f23738564da2c1827baf0e500ac3ba50286bdd28cf768e070607ca2e5b292e2aa2665ac33b6e6

      Download Submit

    • memory/2088-7-0x000000001B770000-0x000000001BA52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2088-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

      Filesize

      32KB

      Download