gootloader | fb8dfbd0bc32eb573ca3d103f6e655e566ac674e446bcd9836037ad32b5eeae1

Analysis

max time kernel
61s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-02-2025 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORIGINAL - External - STAGE1-cancellation of contract letter format 59607 - ORIGINAL.js
Size

844KB
MD5

864fde6b86995179f9c1c3216cac78eb
SHA1

8e4adaea7b49cf4dbc8817ed7723c67e4458a56f
SHA256

fb8dfbd0bc32eb573ca3d103f6e655e566ac674e446bcd9836037ad32b5eeae1
SHA512

69a8daabbf331cb9845ab895f18c45fc47d7dd03e862171321dae15cc0b1a9b5cf2efba8fa343fcef71f89cf60ea687fa1aeafd5523efeb57a63dd4cd247481d
SSDEEP

24576:TUCgo+ogQc5WfNnZmD/nQt2qBvieJ9LEfWpyQTaEFNE3NEr:TUCgo+ogQc5WfNnZmD/nw2qBDeWpyQTZ

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Gootloader family
gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2704	2016	taskeng.exe	32
PID 2016 wrote to memory of 2704	2016	taskeng.exe	32
PID 2016 wrote to memory of 2704	2016	taskeng.exe	32
PID 2704 wrote to memory of 1268	2704	wscript.EXE	33
PID 2704 wrote to memory of 1268	2704	wscript.EXE	33
PID 2704 wrote to memory of 1268	2704	wscript.EXE	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\ORIGINAL - External - STAGE1-cancellation of contract letter format 59607 - ORIGINAL.js"
1⤵
PID:2736

C:\Windows\system32\taskeng.exe
taskeng.exe {D90BC3E2-6737-45EB-9F72-2FF1ECB156E9} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE AUDITP~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "AUDITP~1.JS"
    3⤵
    PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\AUDITP~1.JS

Filesize
45.0MB

MD5
d979ea4b15f2a4199cd037060f7c4151

SHA1
c5396547c9b0d1f71cb1926db8e77076fe2314e0

SHA256
845755e0392c03567f0cd0957813892ee79afd1f706c4b58b8836bfaf981bd42

SHA512
7c4776a407be48bb20d6c57b552befce2d9863664a2b88b9c36d0cd5c7ed98d278643d355987fc5c779921464615df666724c3c8c5216825f1b47d1e6fe95b1c

Download Submit