gootloader | fb8dfbd0bc32eb573ca3d103f6e655e566ac674e446bcd9836037ad32b5eeae1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
20/02/2025, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORIGINAL-External-STAGE1-cancellationofcontractletterformat59607-ORIGINAL.js
Size

844KB
MD5

864fde6b86995179f9c1c3216cac78eb
SHA1

8e4adaea7b49cf4dbc8817ed7723c67e4458a56f
SHA256

fb8dfbd0bc32eb573ca3d103f6e655e566ac674e446bcd9836037ad32b5eeae1
SHA512

69a8daabbf331cb9845ab895f18c45fc47d7dd03e862171321dae15cc0b1a9b5cf2efba8fa343fcef71f89cf60ea687fa1aeafd5523efeb57a63dd4cd247481d
SSDEEP

24576:TUCgo+ogQc5WfNnZmD/nQt2qBvieJ9LEfWpyQTaEFNE3NEr:TUCgo+ogQc5WfNnZmD/nw2qBDeWpyQTZ

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Gootloader family
gootloader
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2836	2944	taskeng.exe	33
PID 2944 wrote to memory of 2836	2944	taskeng.exe	33
PID 2944 wrote to memory of 2836	2944	taskeng.exe	33
PID 2836 wrote to memory of 2856	2836	wscript.EXE	34
PID 2836 wrote to memory of 2856	2836	wscript.EXE	34
PID 2836 wrote to memory of 2856	2836	wscript.EXE	34
PID 2856 wrote to memory of 2752	2856	cscript.exe	36
PID 2856 wrote to memory of 2752	2856	cscript.exe	36
PID 2856 wrote to memory of 2752	2856	cscript.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORIGINAL-External-STAGE1-cancellationofcontractletterformat59607-ORIGINAL.js
1⤵
PID:2164

C:\Windows\system32\taskeng.exe
taskeng.exe {1B59A5C2-7AB5-4126-ABB8-D076F3AAE697} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE AUDITP~1.JS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" "AUDITP~1.JS"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\AUDITP~1.JS

Filesize
45.0MB

MD5
87bd8f88d06decc3f35b97090bf85543

SHA1
6637c833a5125d0d4b6ec46e0096dcc48c684a65

SHA256
a1f429bb4fa45eaef62baff97b9496ded6e328159498978dc4c7b0e70cadc7e0

SHA512
0c005004b89f320f5242132d204544b888b0a873289518ec063d0b7d3f60ae5d7a1e531e43382c46c466a81a5279182185b64698b5a2eefa304edaff631b0829

Download Submit
memory/2752-7-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2752-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download