Analysis
-
max time kernel
290s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
canada revenue agency psac collective agreement 60755.js
Resource
win10v2004-20240709-en
General
-
Target
canada revenue agency psac collective agreement 60755.js
-
Size
13.7MB
-
MD5
63cf4b18ae1acb7db0a839c351608697
-
SHA1
890f9d086cf309e97f71501dec3dfe417ac7f5a2
-
SHA256
b53ec71b7a07ad3fb8c36a3c8cfc28eefd146cd3e17228b4c340474f25c48e37
-
SHA512
e90108845735cddb202c08db00e391d028d2a48e8743b2ef33a810bc2bbdee475894dce08f5b1194f20daa9df040da011205f842942d9f7f64e55445cbac67f7
-
SSDEEP
49152:YYRxr8uC0NjaCXB7gYRxr8uC0NjaCXB7f:nLz
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 14 IoCs
Processes:
powershell.exeflow pid Process 65 3236 powershell.exe 68 3236 powershell.exe 71 3236 powershell.exe 78 3236 powershell.exe 81 3236 powershell.exe 83 3236 powershell.exe 84 3236 powershell.exe 85 3236 powershell.exe 89 3236 powershell.exe 92 3236 powershell.exe 94 3236 powershell.exe 95 3236 powershell.exe 98 3236 powershell.exe 100 3236 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepid Process 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 3236 powershell.exe Token: SeIncreaseQuotaPrivilege 3236 powershell.exe Token: SeSecurityPrivilege 3236 powershell.exe Token: SeTakeOwnershipPrivilege 3236 powershell.exe Token: SeLoadDriverPrivilege 3236 powershell.exe Token: SeSystemProfilePrivilege 3236 powershell.exe Token: SeSystemtimePrivilege 3236 powershell.exe Token: SeProfSingleProcessPrivilege 3236 powershell.exe Token: SeIncBasePriorityPrivilege 3236 powershell.exe Token: SeCreatePagefilePrivilege 3236 powershell.exe Token: SeBackupPrivilege 3236 powershell.exe Token: SeRestorePrivilege 3236 powershell.exe Token: SeShutdownPrivilege 3236 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeSystemEnvironmentPrivilege 3236 powershell.exe Token: SeRemoteShutdownPrivilege 3236 powershell.exe Token: SeUndockPrivilege 3236 powershell.exe Token: SeManageVolumePrivilege 3236 powershell.exe Token: 33 3236 powershell.exe Token: 34 3236 powershell.exe Token: 35 3236 powershell.exe Token: 36 3236 powershell.exe Token: SeIncreaseQuotaPrivilege 3236 powershell.exe Token: SeSecurityPrivilege 3236 powershell.exe Token: SeTakeOwnershipPrivilege 3236 powershell.exe Token: SeLoadDriverPrivilege 3236 powershell.exe Token: SeSystemProfilePrivilege 3236 powershell.exe Token: SeSystemtimePrivilege 3236 powershell.exe Token: SeProfSingleProcessPrivilege 3236 powershell.exe Token: SeIncBasePriorityPrivilege 3236 powershell.exe Token: SeCreatePagefilePrivilege 3236 powershell.exe Token: SeBackupPrivilege 3236 powershell.exe Token: SeRestorePrivilege 3236 powershell.exe Token: SeShutdownPrivilege 3236 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeSystemEnvironmentPrivilege 3236 powershell.exe Token: SeRemoteShutdownPrivilege 3236 powershell.exe Token: SeUndockPrivilege 3236 powershell.exe Token: SeManageVolumePrivilege 3236 powershell.exe Token: 33 3236 powershell.exe Token: 34 3236 powershell.exe Token: 35 3236 powershell.exe Token: 36 3236 powershell.exe Token: SeIncreaseQuotaPrivilege 3236 powershell.exe Token: SeSecurityPrivilege 3236 powershell.exe Token: SeTakeOwnershipPrivilege 3236 powershell.exe Token: SeLoadDriverPrivilege 3236 powershell.exe Token: SeSystemProfilePrivilege 3236 powershell.exe Token: SeSystemtimePrivilege 3236 powershell.exe Token: SeProfSingleProcessPrivilege 3236 powershell.exe Token: SeIncBasePriorityPrivilege 3236 powershell.exe Token: SeCreatePagefilePrivilege 3236 powershell.exe Token: SeBackupPrivilege 3236 powershell.exe Token: SeRestorePrivilege 3236 powershell.exe Token: SeShutdownPrivilege 3236 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeSystemEnvironmentPrivilege 3236 powershell.exe Token: SeRemoteShutdownPrivilege 3236 powershell.exe Token: SeUndockPrivilege 3236 powershell.exe Token: SeManageVolumePrivilege 3236 powershell.exe Token: 33 3236 powershell.exe Token: 34 3236 powershell.exe Token: 35 3236 powershell.exe Token: 36 3236 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid Process procid_target PID 1952 wrote to memory of 5072 1952 wscript.EXE 105 PID 1952 wrote to memory of 5072 1952 wscript.EXE 105 PID 5072 wrote to memory of 3236 5072 cscript.exe 107 PID 5072 wrote to memory of 3236 5072 cscript.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\canada revenue agency psac collective agreement 60755.js"1⤵PID:3940
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE EVENTM~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "EVENTM~1.JS"2⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
38.4MB
MD5d6cbdefd0621c8f45853f9d0852e2c64
SHA1b2bf9fb053bacd217d94d3492981b3826f2f1e42
SHA256aa228ec9abb6c81bd5c390c0b386c0d682f3061c4548e0370631ec2402d4d4f1
SHA512e3c3029e1362dc65d86464af570646add3ab5fc6371b04801f0636a3d5bd35aeebee7807d73bba4e287cd9da44411e954818a7420e9606984f330f6e8187c976