Overview

overview

10

Static

static

1

freeinform...ate.js

windows7-x64

10

freeinform...ate.js

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    freeinformalloanagreementtemplate.js

  • Size

    841KB

  • MD5

    7ac78182e549eb40175d21cc87b94b62

  • SHA1

    b9d41cfaa5df3d6855403876871b4bdbea3185be

  • SHA256

    0a67499a709b1644c4770067be6a7bd932c601d6d09552e4e35e2dacbafa2c77

  • SHA512

    c31b241714a68b2234aaadccf08fd320df77f7f33dba54d7032167086cb230d632a8b6a34614797be48ef70223158a7d9684a8b18f7fffb6b66dc44e37a06ef7

  • SSDEEP

    24576:ZQCgo+ogQc5WfNnZmD/n95ajjhxeB2rRhWpyQTaEFNE3NEr:ZQCgo+ogQc5WfNnZmD/nDajj+8WpyQTZ

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\freeinformalloanagreementtemplate.js
    1⤵
      PID:3032
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {D534F4E9-6ACC-46FA-A75B-F7946E085786} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE TECHNI~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "TECHNI~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\System32\WindowsPowerShell\v1.0\pOweRshELl.exe
            pOweRshELl.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Macromedia\TECHNI~1.JS
      Filesize

      42.6MB

      MD5

      86a8c18e20c3e53742597e3738965424

      SHA1

      144c35ea3a387c32effeeccfb94e356b1dc6b1e6

      SHA256

      3d5c3f2de7234018f3d3f0c621bddda9d37e5e10af685571cee6ef3fbb702f4d

      SHA512

      ae56a4df90a5e8a581d4286a9a94303bca25182753a32f05977db97c6e5abee08f6f169a1cee27925cd77f60c723d0d059324fde69ec4013c4e7fe1a2422f8d2

      Download Submit

    • memory/1956-7-0x000000001B650000-0x000000001B932000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1956-8-0x0000000002220000-0x0000000002228000-memory.dmp

      Filesize

      32KB

      Download