gootloader | 755618e7ea05f85de857743d10cdf95bb3c09529b40ec5b430faa0db982aca94

Analysis

max time kernel
139s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

755618e7ea05f85de857743d10cdf95bb3c09529b40ec5b430faa0db982aca94.js
Size

19.8MB
MD5

1dabc0ec28edb2de81fb7cfdad33ba70
SHA1

5c09c537cc273b0abb16b0ea8183f40a53ebe57a
SHA256

755618e7ea05f85de857743d10cdf95bb3c09529b40ec5b430faa0db982aca94
SHA512

00d954d1b35e1a2bef5918e3083c509bcbf43f463d0c04aec2fc5c8cc685b58a6ac36327d4c14450266f8e3862852c4d52700ca318dca2c982b2a3d3b4d0a1fd
SSDEEP

49152:e+GH+R4FbEc6GhQj579l+4SSNRLFjzW03NZPn3SbYmGBl+Kn8P4BlwUC3kiQijs7:Z3k3k3k3k3k3k3k3K

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow	pid	Process
49	3604	powershell.exe
57	3604	powershell.exe
69	3604	powershell.exe
72	3604	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	wscript.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exe

pid	Process
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	Process	procid_target
PID 4276 wrote to memory of 4888	4276	wscript.EXE	98
PID 4276 wrote to memory of 4888	4276	wscript.EXE	98
PID 4888 wrote to memory of 3604	4888	cscript.exe	101
PID 4888 wrote to memory of 3604	4888	cscript.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\755618e7ea05f85de857743d10cdf95bb3c09529b40ec5b430faa0db982aca94.js
1⤵
PID:2204

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE SPONSO~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" "SPONSO~1.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0ynicun.bjm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\SPONSO~1.JS

Filesize
46.0MB

MD5
cfb6843a5aa189d4b9716a595a6af70f

SHA1
98d00922e0b1f79ea24fe6d5128528cc3873a1ef

SHA256
98b7c95fec3e0ec8f85706c5e71351a0c04979c54da52e40ec4f8620bb216d0f

SHA512
d4dbd83e42faf9374373aad51d94f3f51ab90da3d24d93f34e793b33dff20df27cace285846743267f854b9a09d8b29ee8f0bfd9f46581ffb26200ce5b623216

Download Submit
memory/3604-3-0x000002AFD2240000-0x000002AFD2262000-memory.dmp

Filesize
136KB

Download
memory/3604-13-0x000002AFEAC00000-0x000002AFEAC44000-memory.dmp

Filesize
272KB

Download
memory/3604-14-0x000002AFEACD0000-0x000002AFEAD46000-memory.dmp

Filesize
472KB

Download
memory/3604-15-0x000002AFEB790000-0x000002AFEB7BA000-memory.dmp

Filesize
168KB

Download
memory/3604-16-0x000002AFEB790000-0x000002AFEB7B4000-memory.dmp

Filesize
144KB

Download