Analysis Overview
SHA256
9c236eabb385b9402120bb087f0fbaa1b7ec11a897290ac6196d82197bd24ab0
Threat Level: Known bad
The file 9c236eabb385b9402120bb087f0fbaa1b7ec11a897290ac6196d82197bd24ab0.js was found to be: Known bad.
Malicious Activity Summary
Gootloader family
GootLoader
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 03:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 03:26
Reported
2024-11-08 03:29
Platform
win7-20241010-en
Max time kernel
114s
Max time network
19s
Command Line
Signatures
GootLoader
Gootloader family
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9c236eabb385b9402120bb087f0fbaa1b7ec11a897290ac6196d82197bd24ab0.js
C:\Windows\system32\taskeng.exe
taskeng.exe {D09EBAF6-F40C-453B-A096-888BB2122C95} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE DIGITA~1.JS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cScriPT "DIGITA~1.JS"
C:\Windows\system32\cscript.exe
cScriPT "DIGITA~1.JS"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
Network
Files
C:\Users\Admin\AppData\Roaming\Mozilla\DIGITA~1.JS
| MD5 | d4b3e1d0cfcb710863b1202ed8f2fd89 |
| SHA1 | 35f6614437fd2aa34609280b699328720f1c6d86 |
| SHA256 | fbfb4a676c09566fa60e05cc51654d6de133aa8add30ae7dbfb1a20f95aeb16c |
| SHA512 | c3ac56c12888c7849136d26f8ca23c812cae0ebcff3af1d8f7aa23a798c82b1f1e83d2e1a7602e3dd0e3f49e65dc498679ddbbdcdf64c37dac368630849b2625 |
memory/1180-10-0x000000001B3F0000-0x000000001B6D2000-memory.dmp
memory/1180-11-0x0000000002290000-0x0000000002298000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 03:26
Reported
2024-11-08 03:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
GootLoader
Gootloader family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.EXE | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4068 wrote to memory of 4428 | N/A | C:\Windows\system32\wscript.EXE | C:\Windows\System32\cmd.exe |
| PID 4068 wrote to memory of 4428 | N/A | C:\Windows\system32\wscript.EXE | C:\Windows\System32\cmd.exe |
| PID 4428 wrote to memory of 4840 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cscript.exe |
| PID 4428 wrote to memory of 4840 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\cscript.exe |
| PID 4840 wrote to memory of 4356 | N/A | C:\Windows\system32\cscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4840 wrote to memory of 4356 | N/A | C:\Windows\system32\cscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\9c236eabb385b9402120bb087f0fbaa1b7ec11a897290ac6196d82197bd24ab0.js
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE DIGITA~1.JS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cScriPT "DIGITA~1.JS"
C:\Windows\system32\cscript.exe
cScriPT "DIGITA~1.JS"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pianowithjonny.com | udp |
| US | 162.159.135.42:443 | pianowithjonny.com | tcp |
| US | 8.8.8.8:53 | 42.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | takrepair.com | udp |
| IR | 95.156.254.124:443 | takrepair.com | tcp |
| US | 8.8.8.8:53 | 124.254.156.95.in-addr.arpa | udp |
| IR | 95.156.254.124:443 | takrepair.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Sun\Pharmacokinetics.txt
| MD5 | d4b3e1d0cfcb710863b1202ed8f2fd89 |
| SHA1 | 35f6614437fd2aa34609280b699328720f1c6d86 |
| SHA256 | fbfb4a676c09566fa60e05cc51654d6de133aa8add30ae7dbfb1a20f95aeb16c |
| SHA512 | c3ac56c12888c7849136d26f8ca23c812cae0ebcff3af1d8f7aa23a798c82b1f1e83d2e1a7602e3dd0e3f49e65dc498679ddbbdcdf64c37dac368630849b2625 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jv2c500i.urx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4356-16-0x000001F2C2B50000-0x000001F2C2B72000-memory.dmp
memory/4356-17-0x000001F2C50C0000-0x000001F2C5104000-memory.dmp
memory/4356-18-0x000001F2C5190000-0x000001F2C5206000-memory.dmp
memory/4356-19-0x000001F2C53E0000-0x000001F2C540A000-memory.dmp
memory/4356-20-0x000001F2C53E0000-0x000001F2C5404000-memory.dmp