Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
unionoftaxationemployeescollectiveagreement31442.js
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
unionoftaxationemployeescollectiveagreement31442.js
Resource
win10v2004-20240802-en
General
-
Target
unionoftaxationemployeescollectiveagreement31442.js
-
Size
9.0MB
-
MD5
ebc47d7b05d2cb462f3366cd0a62d595
-
SHA1
41b1b09e348e0cea83c9840cef8565fbc15e40e4
-
SHA256
aa69518515803dc5f4126950d94443f0bc281a71b08441b704e2459f4f3f8511
-
SHA512
ccceaa7db00f1ad820b2171cbfefbad0e554a9c211527e934f364bef84241fe1f021cbd5dd2ac9f652dc84419260789d169d291657d09c6a5e2420e075302d22
-
SSDEEP
49152:BjF0tlPV9PjF0tlPV9PjF0tlPV9PjF0tlPV9PjF0tlPV9PjF0tlPV9PjF0tlPV9l:aPVWPVWPVWPVWPVWPVWPVD
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2220 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
taskeng.exewscript.EXEcscript.exedescription pid process target process PID 2544 wrote to memory of 2620 2544 taskeng.exe wscript.EXE PID 2544 wrote to memory of 2620 2544 taskeng.exe wscript.EXE PID 2544 wrote to memory of 2620 2544 taskeng.exe wscript.EXE PID 2620 wrote to memory of 1572 2620 wscript.EXE cscript.exe PID 2620 wrote to memory of 1572 2620 wscript.EXE cscript.exe PID 2620 wrote to memory of 1572 2620 wscript.EXE cscript.exe PID 1572 wrote to memory of 2220 1572 cscript.exe powershell.exe PID 1572 wrote to memory of 2220 1572 cscript.exe powershell.exe PID 1572 wrote to memory of 2220 1572 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\unionoftaxationemployeescollectiveagreement31442.js1⤵PID:1792
-
C:\Windows\system32\taskeng.exetaskeng.exe {C9550260-6E12-42FF-A2CC-4CDCE6C49F1E} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE GUIDEL~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" GUIDEL~1.JS3⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45.7MB
MD5b66686ad0668f57a7d9fb203ff381d70
SHA1910b44d48d45f7377d231f92666f25608248fa8b
SHA256d9a001b47c965d3b797808e3dde7fcac423b132d1727bc1adb5ad6adda6b1865
SHA5123a28e98fd81af006c6373b1066d15094fdb402663bf602eb15b851e057e312ff1f0957d848ca5e6a2e1ca8115aa74ad9b4fba4d62a84d0c30dbc8098d861093e