gootloader | 9149f8b2afe9f24692b628c0c014ccbcccb7b54561e4ab544656c83164a3f279

Analysis

max time kernel
239s
max time network
241s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

water escrow agreement 77912.js
Size

19.3MB
MD5

67da9c54b9fba4ded6d308dde26f8ff8
SHA1

6c67286c6f33e2110e3db8c8240a491506313668
SHA256

9149f8b2afe9f24692b628c0c014ccbcccb7b54561e4ab544656c83164a3f279
SHA512

11a3070294d948c716a0a6321f1c7967c31a09117b61f022537fb98f4849f10c0f6f3357438165efed937b25679d85f9be19f5204610ed0476c6eab525974d9d
SSDEEP

49152:j7BRzjCxbUqHlp4nv5N0+ChM/5bzSYzYBBji+8j3d3O6/+PQGoI13qu2FJEYcE2W:X

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3060	2908	taskeng.exe	31
PID 2908 wrote to memory of 3060	2908	taskeng.exe	31
PID 2908 wrote to memory of 3060	2908	taskeng.exe	31
PID 3060 wrote to memory of 2968	3060	wscript.EXE	32
PID 3060 wrote to memory of 2968	3060	wscript.EXE	32
PID 3060 wrote to memory of 2968	3060	wscript.EXE	32
PID 2968 wrote to memory of 3032	2968	cscript.exe	34
PID 2968 wrote to memory of 3032	2968	cscript.exe	34
PID 2968 wrote to memory of 3032	2968	cscript.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\water escrow agreement 77912.js"
1⤵
PID:2300

C:\Windows\system32\taskeng.exe
taskeng.exe {3E37134A-FD9A-44FF-9E5C-11BE0286A26D} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE MICROS~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "MICROS~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\MICROS~1.JS

Filesize
40.2MB

MD5
0945d832c41c5151defae309baab3e7d

SHA1
f02448c6c2c2d4656e1649770f6f07703ca29858

SHA256
286ae777033e428f4332630093372a4af67b4c4c9a57e8eba4a95d42cec117c7

SHA512
360c484e35d175a126cbb20ae7df0b31c6980b3c9353b204a47c7a848b215152921a5bbabae5c08b675c34b2d28eef15b597b228e6f9347dd4e25029711846a3

Download Submit
memory/3032-7-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/3032-8-0x0000000002B20000-0x0000000002B28000-memory.dmp

Filesize
32KB

Download