gootloader | 4f2846f0cd6bdf7a93b1fa0b34844414bd287367edf203ef206c90f4bf6147e4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f2846f0cd6bdf7a93b1fa0b34844414bd287367edf203ef206c90f4bf6147e4.js
Size

4.0MB
MD5

b6bed8b75a4418875fed6d8bcff17f95
SHA1

d2762e10e7abcd191650fe3f2b50c4630855cdb2
SHA256

4f2846f0cd6bdf7a93b1fa0b34844414bd287367edf203ef206c90f4bf6147e4
SHA512

94a694c4224bfed73b5397e7d0aec53b2ebef1abd474dc06e507948738a41b7619e568a5f5cb577a5a8b16ade43c806db8e8fc67db667c26ff694c2ec14bdfd4
SSDEEP

49152:3icUnqsGw1cICwa/s+LfHQkicUnqsGw1cICwa/s+LfHQkicUnqsGw1cICwa/s+Lr:3ppR

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

taskeng.exewscript.EXEcscript.exe

description	pid	Process	procid_target
PID 2588 wrote to memory of 2552	2588	taskeng.exe	31
PID 2588 wrote to memory of 2552	2588	taskeng.exe	31
PID 2588 wrote to memory of 2552	2588	taskeng.exe	31
PID 2552 wrote to memory of 2796	2552	wscript.EXE	32
PID 2552 wrote to memory of 2796	2552	wscript.EXE	32
PID 2552 wrote to memory of 2796	2552	wscript.EXE	32
PID 2796 wrote to memory of 1496	2796	cscript.exe	34
PID 2796 wrote to memory of 1496	2796	cscript.exe	34
PID 2796 wrote to memory of 1496	2796	cscript.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\4f2846f0cd6bdf7a93b1fa0b34844414bd287367edf203ef206c90f4bf6147e4.js
1⤵
PID:2060

C:\Windows\system32\taskeng.exe
taskeng.exe {5DFE6FD0-D465-4015-8C34-9091ABADC81B} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE CULTUR~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "CULTUR~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\CULTUR~1.JS

Filesize
43.5MB

MD5
c7fa3835de8bc61dac831d2719a64a33

SHA1
aec562944d852880619fe4a7c67a2f36d685ebc9

SHA256
bc71bfd085e89375dded036e65518df4f772dac440ef80de9aeebc3fd3b9ba14

SHA512
29ede48d0d99d5766d69e0964a6ee61b131b922d6b07b1528d6789507f9b6c8d11bc218563f5c902a98a94139dd80dbb621de98d418ec4e3a0dee8ae416e1d90

Download Submit
memory/1496-7-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1496-8-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download