Overview

overview

10

Static

static

1

union_of_t...424.js

windows7-x64

10

union_of_t...424.js

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-10-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    union_of_taxation_employees_collective_agreement28424.js

  • Size

    3.9MB

  • MD5

    052d55bc0edd41bc0c7a26155be6d359

  • SHA1

    d1173d863f73736e9585facdab76c964d02681c4

  • SHA256

    919e71361afffa7a9edd5fdf11efaeff25f2e742c9a24cbbb030d192d041ddfb

  • SHA512

    4f9da4c35e67b29b69cd8015c5fdb8f0ab4c009118f3438f3e1c1102fc7b0e9d08e28cda65452de9070d4787e6ffed7ec967a20ca10cc4bc1960e3bf45f43edc

  • SSDEEP

    24576:pvZ5xxv6JbHQPV9LfvZ5xxv6JbHQPV9LfvZ5xxv6JbHQPV9LZ:pvqJEPV97vqJEPV97vqJEPV9l

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\union_of_taxation_employees_collective_agreement28424.js
    1⤵
      PID:320
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E1DBFB9F-79A3-437A-9788-214CAFD214B2} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE ADULTE~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" ADULTE~1.JS
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\ADULTE~1.JS
      Filesize

      39.2MB

      MD5

      042f5142b1a4f2a8547ec9ef5cad68c4

      SHA1

      700937127557a3a774124548378ce6e7b1e0e07d

      SHA256

      5579121416b959903415c032070cca375af9cf59b3735100c4a4ea3b562f5aa5

      SHA512

      413393700763a539cb4680bf041d1f3a52835c48651cf878f07beafb3c8a42476b1b100127798f06e633051f4c70475472acff5ac93f777cde6eb54960d7db84

      Download Submit

    • memory/1840-7-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1840-8-0x0000000002610000-0x0000000002618000-memory.dmp

      Filesize

      32KB

      Download