gootloader | a79eb8b19a5fde18c6f569df389aea8a2ca930dd5718690e81328a0d087471ef

General

Target

union_of_taxation_employees_collective_agreement(40836).js
Size

7.7MB
MD5

ae9263d83761365bde29227b2a670104
SHA1

0c3bdc722df32ec3cf63ba94f9c1a8814c1384c3
SHA256

a79eb8b19a5fde18c6f569df389aea8a2ca930dd5718690e81328a0d087471ef
SHA512

13c9910312cbfecf565d2c4649f66524a151562def1e4ff44426dc09b34e9f9c6e0bb8bf30d3515c8fe90cb1f30cb5efb16c37a74161578d18bf846d4104643b
SSDEEP

49152:hsFCnPV9rsFCnPV9rsFCnPV9rsFCnPV9rsFCnPV9rsFCnPV9l:JPVNPVNPVNPVNPVNPVD

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
56	1972	powershell.exe
74	1972	powershell.exe
81	1972	powershell.exe
84	1972	powershell.exe
86	1972	powershell.exe
88	1972	powershell.exe
90	1972	powershell.exe
92	1972	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wscript.EXE
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wscript.EXE

Modifies registry class 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exe

pid	process
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	process	target process
PID 4328 wrote to memory of 2360	4328	wscript.EXE	cscript.exe
PID 4328 wrote to memory of 2360	4328	wscript.EXE	cscript.exe
PID 2360 wrote to memory of 1972	2360	cscript.exe	powershell.exe
PID 2360 wrote to memory of 1972	2360	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\union_of_taxation_employees_collective_agreement(40836).js
1⤵
PID:5112

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE CORPOR~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" CORPOR~1.JS
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytpcp0x0.www.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\CORPOR~1.JS

Filesize
45.7MB

MD5
e17b8d564273e66a55783e4fd246c343

SHA1
211f23f8f12f239a532dcc1f2d9815771f5acf16

SHA256
2908ec8d8d2d453e27c3cc52ce5097c858c2023b951e745a7bfcd91a0004d9c3

SHA512
da313fb79d846019c1fc91b6b6980d1f0dac2fcc492a0e226de34a527f0a03b4976eae3b159ace6f7bdc8be851bbe39757d235824d508d802eeb640286dde27d

Download Submit
memory/1972-3-0x000001E973840000-0x000001E973862000-memory.dmp

Filesize
136KB

Download
memory/1972-13-0x000001E9742F0000-0x000001E974334000-memory.dmp

Filesize
272KB

Download
memory/1972-14-0x000001E974750000-0x000001E9747C6000-memory.dmp

Filesize
472KB

Download
memory/1972-15-0x000001E974960000-0x000001E97498A000-memory.dmp

Filesize
168KB

Download
memory/1972-16-0x000001E974960000-0x000001E974984000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads