Analysis

  • max time kernel
    290s
  • max time network
    296s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 12:46

General

  • Target

    canada revenue agency psac collective agreement 60755.js

  • Size

    13.7MB

  • MD5

    63cf4b18ae1acb7db0a839c351608697

  • SHA1

    890f9d086cf309e97f71501dec3dfe417ac7f5a2

  • SHA256

    b53ec71b7a07ad3fb8c36a3c8cfc28eefd146cd3e17228b4c340474f25c48e37

  • SHA512

    e90108845735cddb202c08db00e391d028d2a48e8743b2ef33a810bc2bbdee475894dce08f5b1194f20daa9df040da011205f842942d9f7f64e55445cbac67f7

  • SSDEEP

    49152:YYRxr8uC0NjaCXB7gYRxr8uC0NjaCXB7f:nLz

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

  • Blocklisted process makes network request 14 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\canada revenue agency psac collective agreement 60755.js"
    1⤵
      PID:3940
    • C:\Windows\system32\wscript.EXE
      C:\Windows\system32\wscript.EXE EVENTM~1.JS
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\System32\cscript.exe
        "C:\Windows\System32\cscript.exe" "EVENTM~1.JS"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell
          3⤵
          • Blocklisted process makes network request
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3236

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_quoffwuk.0ur.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Adobe\EVENTM~1.JS

      Filesize

      38.4MB

      MD5

      d6cbdefd0621c8f45853f9d0852e2c64

      SHA1

      b2bf9fb053bacd217d94d3492981b3826f2f1e42

      SHA256

      aa228ec9abb6c81bd5c390c0b386c0d682f3061c4548e0370631ec2402d4d4f1

      SHA512

      e3c3029e1362dc65d86464af570646add3ab5fc6371b04801f0636a3d5bd35aeebee7807d73bba4e287cd9da44411e954818a7420e9606984f330f6e8187c976

    • memory/3236-8-0x000001EC4BF50000-0x000001EC4BF72000-memory.dmp

      Filesize

      136KB

    • memory/3236-13-0x000001EC4CA60000-0x000001EC4CAA4000-memory.dmp

      Filesize

      272KB

    • memory/3236-14-0x000001EC4CEB0000-0x000001EC4CF26000-memory.dmp

      Filesize

      472KB

    • memory/3236-15-0x000001EC4D0D0000-0x000001EC4D0FA000-memory.dmp

      Filesize

      168KB

    • memory/3236-16-0x000001EC4D0D0000-0x000001EC4D0F4000-memory.dmp

      Filesize

      144KB