Analysis
-
max time kernel
281s -
max time network
286s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
canada revenue agency psac collective agreement 21615.js
Resource
win10v2004-20240709-en
General
-
Target
canada revenue agency psac collective agreement 21615.js
-
Size
20.5MB
-
MD5
1add5539fec37fcc25c5223fa890a944
-
SHA1
d9681e3eab7b0f6974f3cc0b13657376f9e6a72b
-
SHA256
173cf21fb6eb97344bf1e5941efab13afcadaed98dfa8ade37d672e2233d63c2
-
SHA512
4675f0442cf73061ca42be78b4f62904fb29825c74308c487543a9d7f6225a28585de4a154e91f9c85c991f6dfc3c6f6fdbcfb54cd38dd9db119b2551dc5d290
-
SSDEEP
49152:YYRxr8uC0NjaCXWigYRxr8uC0NjaCXWigYRxr8uC0NjaCXWif:Y772
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 50 2624 powershell.exe 69 2624 powershell.exe 72 2624 powershell.exe 79 2624 powershell.exe 82 2624 powershell.exe 85 2624 powershell.exe 88 2624 powershell.exe 90 2624 powershell.exe 91 2624 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepid process 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2624 powershell.exe Token: SeIncreaseQuotaPrivilege 2624 powershell.exe Token: SeSecurityPrivilege 2624 powershell.exe Token: SeTakeOwnershipPrivilege 2624 powershell.exe Token: SeLoadDriverPrivilege 2624 powershell.exe Token: SeSystemProfilePrivilege 2624 powershell.exe Token: SeSystemtimePrivilege 2624 powershell.exe Token: SeProfSingleProcessPrivilege 2624 powershell.exe Token: SeIncBasePriorityPrivilege 2624 powershell.exe Token: SeCreatePagefilePrivilege 2624 powershell.exe Token: SeBackupPrivilege 2624 powershell.exe Token: SeRestorePrivilege 2624 powershell.exe Token: SeShutdownPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeSystemEnvironmentPrivilege 2624 powershell.exe Token: SeRemoteShutdownPrivilege 2624 powershell.exe Token: SeUndockPrivilege 2624 powershell.exe Token: SeManageVolumePrivilege 2624 powershell.exe Token: 33 2624 powershell.exe Token: 34 2624 powershell.exe Token: 35 2624 powershell.exe Token: 36 2624 powershell.exe Token: SeIncreaseQuotaPrivilege 2624 powershell.exe Token: SeSecurityPrivilege 2624 powershell.exe Token: SeTakeOwnershipPrivilege 2624 powershell.exe Token: SeLoadDriverPrivilege 2624 powershell.exe Token: SeSystemProfilePrivilege 2624 powershell.exe Token: SeSystemtimePrivilege 2624 powershell.exe Token: SeProfSingleProcessPrivilege 2624 powershell.exe Token: SeIncBasePriorityPrivilege 2624 powershell.exe Token: SeCreatePagefilePrivilege 2624 powershell.exe Token: SeBackupPrivilege 2624 powershell.exe Token: SeRestorePrivilege 2624 powershell.exe Token: SeShutdownPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeSystemEnvironmentPrivilege 2624 powershell.exe Token: SeRemoteShutdownPrivilege 2624 powershell.exe Token: SeUndockPrivilege 2624 powershell.exe Token: SeManageVolumePrivilege 2624 powershell.exe Token: 33 2624 powershell.exe Token: 34 2624 powershell.exe Token: 35 2624 powershell.exe Token: 36 2624 powershell.exe Token: SeIncreaseQuotaPrivilege 2624 powershell.exe Token: SeSecurityPrivilege 2624 powershell.exe Token: SeTakeOwnershipPrivilege 2624 powershell.exe Token: SeLoadDriverPrivilege 2624 powershell.exe Token: SeSystemProfilePrivilege 2624 powershell.exe Token: SeSystemtimePrivilege 2624 powershell.exe Token: SeProfSingleProcessPrivilege 2624 powershell.exe Token: SeIncBasePriorityPrivilege 2624 powershell.exe Token: SeCreatePagefilePrivilege 2624 powershell.exe Token: SeBackupPrivilege 2624 powershell.exe Token: SeRestorePrivilege 2624 powershell.exe Token: SeShutdownPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeSystemEnvironmentPrivilege 2624 powershell.exe Token: SeRemoteShutdownPrivilege 2624 powershell.exe Token: SeUndockPrivilege 2624 powershell.exe Token: SeManageVolumePrivilege 2624 powershell.exe Token: 33 2624 powershell.exe Token: 34 2624 powershell.exe Token: 35 2624 powershell.exe Token: 36 2624 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 4532 wrote to memory of 4132 4532 wscript.EXE cscript.exe PID 4532 wrote to memory of 4132 4532 wscript.EXE cscript.exe PID 4132 wrote to memory of 2624 4132 cscript.exe powershell.exe PID 4132 wrote to memory of 2624 4132 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\canada revenue agency psac collective agreement 21615.js"1⤵PID:2268
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE HEALTH~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "HEALTH~1.JS"2⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
40.5MB
MD53de14370e2879aeadbe46a0e02f0976f
SHA1fb095a4f51b0ddcf2a556ad1580e8c6e884af8d3
SHA25639ce6f31bd15d1e7978ebf11964a35376a36ebf230b06a4d2a9260fec1104047
SHA51258e2c31447671f381297169e98c0f8f23157379c5e2ea8676ddbe05bb52ea89cddd129c93d1ed2be26457e40689c08af78ed916b51cf81538bc2d71dba8d06a7