gootloader | 622b20a8bbee405b775d7727587306afa3d4e69ae2841b19059953824fc38311

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

622b20a8bbee405b775d7727587306afa3d4e69ae2841b19059953824fc38311.js
Size

7.4MB
MD5

a7f1167e911fbc5cf4ac56f83ed3212f
SHA1

9df8141203da50a4fba1f52fcef7a9ee7931bb9d
SHA256

622b20a8bbee405b775d7727587306afa3d4e69ae2841b19059953824fc38311
SHA512

1e7bf40aae8e1e7dba44a3942f6e24d49b6e2a221a490cd2097cbec29a71a1906880dabd9665133a0cfffc01d8b6cb831c3b2b06331404446d14f08b94765dcd
SSDEEP

49152:Ercw+9hFbEc6GhQk5C5l+4SSNRLFjzW03NZPn3SbYmGBl+Kn8P4BlwUC3kiQijsE:q3r3r3K

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	560	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

taskeng.exewscript.EXEcscript.exe

description	pid	Process	procid_target
PID 2684 wrote to memory of 2084	2684	taskeng.exe	32
PID 2684 wrote to memory of 2084	2684	taskeng.exe	32
PID 2684 wrote to memory of 2084	2684	taskeng.exe	32
PID 2084 wrote to memory of 2564	2084	wscript.EXE	33
PID 2084 wrote to memory of 2564	2084	wscript.EXE	33
PID 2084 wrote to memory of 2564	2084	wscript.EXE	33
PID 2564 wrote to memory of 560	2564	cscript.exe	35
PID 2564 wrote to memory of 560	2564	cscript.exe	35
PID 2564 wrote to memory of 560	2564	cscript.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\622b20a8bbee405b775d7727587306afa3d4e69ae2841b19059953824fc38311.js
1⤵
PID:3044

C:\Windows\system32\taskeng.exe
taskeng.exe {94633681-D847-40A4-8987-91945F1EEF21} S-1-5-21-1385883288-3042840365-2734249351-1000:RPXOCQRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE ALTERN~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "ALTERN~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\ALTERN~1.JS

Filesize
46.4MB

MD5
590dcb6877e4be12ca3ccc9fa7da2d7c

SHA1
4867c74faed87bed613b9a6350908bec3579680c

SHA256
8dfbb6af7ef506df40a32e5353dae61fcac07dde8d1acdb4986512f4a80e3be9

SHA512
5b3bc302dda2fafef8a477c6c8af791583a8cbd88deac2067fa9289b35b635f2a14c624401e688db347d2a0e06b4e9875928c29cf2ac7faec5d8f63a1b3c7871

Download Submit
memory/560-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/560-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download