Overview

overview

10

Static

static

1

1771f94e89...82c.js

windows7-x64

10

1771f94e89...82c.js

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    30-08-2024 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1771f94e898e28e8d9e6eac9ff8fa457ca17948d4599890915b833e71106982c.js

  • Size

    5.3MB

  • MD5

    c34769845b3c81530e785a2539d55ad9

  • SHA1

    f429bbe44bc3c633b7675175708c76093003feff

  • SHA256

    1771f94e898e28e8d9e6eac9ff8fa457ca17948d4599890915b833e71106982c

  • SHA512

    c1d9a7db007e82d8ff2a60be97b1096e28beec1fbed847db0d4656b447441d4317d32159261a4eaf53022702c81256a4adb79c6fce50a82b9b88c15ee14a4ace

  • SSDEEP

    49152:tWR+nGElwTrd6gG/s+LfHQ0WR+nGElwTrd6gG/s+LfHQ0WR+nGElwTrd6gG/s+Lr:trrr9

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\1771f94e898e28e8d9e6eac9ff8fa457ca17948d4599890915b833e71106982c.js
    1⤵
      PID:1952
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {B260FF70-166C-48C1-B43D-02CBAAB5A13C} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE VIRTUA~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "VIRTUA~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Macromedia\VIRTUA~1.JS
      Filesize

      45.7MB

      MD5

      fa33856cdd141858ba2ac178f7fa578e

      SHA1

      f1679423b57a78d29e7a46962a89e08f29db0f55

      SHA256

      83c748a7477453552193038657cd29fbc47cea50cb77ec52767ee7091f7af6f8

      SHA512

      97a728ce3576bec8512e069d150a75695450176443243655b62b126abdbeace6bfe93979959d150f82362c375f3e688543cc29f2ad4ed6fb3c1bdf679fcf710f

      Download Submit

    • memory/2820-7-0x000000001B620000-0x000000001B902000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2820-8-0x0000000001F80000-0x0000000001F88000-memory.dmp

      Filesize

      32KB

      Download