Overview

overview

10

Static

static

1

b53ec71b7a...e37.js

windows7-x64

10

b53ec71b7a...e37.js

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b53ec71b7a07ad3fb8c36a3c8cfc28eefd146cd3e17228b4c340474f25c48e37.js

  • Size

    13.7MB

  • MD5

    63cf4b18ae1acb7db0a839c351608697

  • SHA1

    890f9d086cf309e97f71501dec3dfe417ac7f5a2

  • SHA256

    b53ec71b7a07ad3fb8c36a3c8cfc28eefd146cd3e17228b4c340474f25c48e37

  • SHA512

    e90108845735cddb202c08db00e391d028d2a48e8743b2ef33a810bc2bbdee475894dce08f5b1194f20daa9df040da011205f842942d9f7f64e55445cbac67f7

  • SSDEEP

    49152:YYRxr8uC0NjaCXB7gYRxr8uC0NjaCXB7f:nLz

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\b53ec71b7a07ad3fb8c36a3c8cfc28eefd146cd3e17228b4c340474f25c48e37.js
    1⤵
      PID:2272
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {59105A31-148B-4CFA-A89C-A7318D7E84AC} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE EVENTM~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "EVENTM~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\EVENTM~1.JS
      Filesize

      38.4MB

      MD5

      d6cbdefd0621c8f45853f9d0852e2c64

      SHA1

      b2bf9fb053bacd217d94d3492981b3826f2f1e42

      SHA256

      aa228ec9abb6c81bd5c390c0b386c0d682f3061c4548e0370631ec2402d4d4f1

      SHA512

      e3c3029e1362dc65d86464af570646add3ab5fc6371b04801f0636a3d5bd35aeebee7807d73bba4e287cd9da44411e954818a7420e9606984f330f6e8187c976

      Download Submit

    • memory/856-7-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/856-8-0x0000000002790000-0x0000000002798000-memory.dmp

      Filesize

      32KB

      Download