gootloader | 409f0ffb96db2598ee8aee7800b3d6d2b1f751c241f5a2f8062d34515f5b3137

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pa collective agreement pay 2365.js
Size

23.2MB
MD5

b138e06a4863f6356ce014a0f63d1406
SHA1

506b43b59c71118165f161705ed995803a4ba0a6
SHA256

409f0ffb96db2598ee8aee7800b3d6d2b1f751c241f5a2f8062d34515f5b3137
SHA512

cf9e660ed86c53bb7f7e492957eca25a87080eccb9b6b8940b61df91cf1c7b32677c7bffc5cbf65b8c53048b2184cbd53d98b4de2ba11ba96dd65266a11a1306
SSDEEP

49152:SBC08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDNBC08dPXWR4ba/JOtN:ic43m0c43m0c43m0c43m0c43ml

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1664	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2956	2976	taskeng.exe	31
PID 2976 wrote to memory of 2956	2976	taskeng.exe	31
PID 2976 wrote to memory of 2956	2976	taskeng.exe	31
PID 2956 wrote to memory of 2872	2956	wscript.EXE	32
PID 2956 wrote to memory of 2872	2956	wscript.EXE	32
PID 2956 wrote to memory of 2872	2956	wscript.EXE	32
PID 2872 wrote to memory of 1664	2872	cscript.exe	34
PID 2872 wrote to memory of 1664	2872	cscript.exe	34
PID 2872 wrote to memory of 1664	2872	cscript.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 2365.js"
1⤵
PID:2272

C:\Windows\system32\taskeng.exe
taskeng.exe {BA6C5467-4476-4560-B646-6AE42A46AD42} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE CREATI~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "CREATI~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\CREATI~1.JS

Filesize
42.8MB

MD5
e88346ec9933c20d9fb46208d8f6615b

SHA1
8384080b4b0d4b6edbecdc62585f090aa205e2d7

SHA256
0f725f3877a9ac7a5fc9887ccdef10d5cbeb20098a159be7dbbc4a8d4a5dafe6

SHA512
fc0ec0188440ff0dd850407d60456f7ef3328626a9e7636f24c42c48ce7a2b716ae85345154854179be90efb0a0b4303ce03d1fb059ac8d3510c474b67b9dc9f

Download Submit
memory/1664-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1664-8-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download