Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 02:11
Static task
static1
Behavioral task
behavioral1
Sample
freeinformalloanagreementtemplate.js
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
freeinformalloanagreementtemplate.js
Resource
win10v2004-20240802-en
General
-
Target
freeinformalloanagreementtemplate.js
-
Size
841KB
-
MD5
7ac78182e549eb40175d21cc87b94b62
-
SHA1
b9d41cfaa5df3d6855403876871b4bdbea3185be
-
SHA256
0a67499a709b1644c4770067be6a7bd932c601d6d09552e4e35e2dacbafa2c77
-
SHA512
c31b241714a68b2234aaadccf08fd320df77f7f33dba54d7032167086cb230d632a8b6a34614797be48ef70223158a7d9684a8b18f7fffb6b66dc44e37a06ef7
-
SSDEEP
24576:ZQCgo+ogQc5WfNnZmD/n95ajjhxeB2rRhWpyQTaEFNE3NEr:ZQCgo+ogQc5WfNnZmD/nDajj+8WpyQTZ
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
pOweRshELl.exepid process 1956 pOweRshELl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pOweRshELl.exedescription pid process Token: SeDebugPrivilege 1956 pOweRshELl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
taskeng.exewscript.EXEcscript.exedescription pid process target process PID 2876 wrote to memory of 2992 2876 taskeng.exe wscript.EXE PID 2876 wrote to memory of 2992 2876 taskeng.exe wscript.EXE PID 2876 wrote to memory of 2992 2876 taskeng.exe wscript.EXE PID 2992 wrote to memory of 2564 2992 wscript.EXE cscript.exe PID 2992 wrote to memory of 2564 2992 wscript.EXE cscript.exe PID 2992 wrote to memory of 2564 2992 wscript.EXE cscript.exe PID 2564 wrote to memory of 1956 2564 cscript.exe pOweRshELl.exe PID 2564 wrote to memory of 1956 2564 cscript.exe pOweRshELl.exe PID 2564 wrote to memory of 1956 2564 cscript.exe pOweRshELl.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\freeinformalloanagreementtemplate.js1⤵PID:3032
-
C:\Windows\system32\taskeng.exetaskeng.exe {D534F4E9-6ACC-46FA-A75B-F7946E085786} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE TECHNI~1.JS2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "TECHNI~1.JS"3⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\System32\WindowsPowerShell\v1.0\pOweRshELl.exepOweRshELl.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42.6MB
MD586a8c18e20c3e53742597e3738965424
SHA1144c35ea3a387c32effeeccfb94e356b1dc6b1e6
SHA2563d5c3f2de7234018f3d3f0c621bddda9d37e5e10af685571cee6ef3fbb702f4d
SHA512ae56a4df90a5e8a581d4286a9a94303bca25182753a32f05977db97c6e5abee08f6f169a1cee27925cd77f60c723d0d059324fde69ec4013c4e7fe1a2422f8d2