Analysis Overview
SHA256
256cce989250c50da3240c75089e993aad68185b331304be567f09f6a8865677
Threat Level: Known bad
The file MDE_File_Sample_f3a3b95b55010b5645802110a6a447e6253f1281.zip was found to be: Known bad.
Malicious Activity Summary
GootLoader
Gootloader family
Blocklisted process makes network request
Checks computer location settings
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 05:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 05:21
Reported
2025-05-19 05:23
Platform
win10v2004-20250502-en
Max time kernel
136s
Max time network
137s
Command Line
Signatures
GootLoader
Gootloader family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.EXE | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 2824 | N/A | C:\Windows\system32\wscript.EXE | C:\Windows\System32\cscript.exe |
| PID 1516 wrote to memory of 2824 | N/A | C:\Windows\system32\wscript.EXE | C:\Windows\System32\cscript.exe |
| PID 2824 wrote to memory of 2864 | N/A | C:\Windows\System32\cscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2824 wrote to memory of 2864 | N/A | C:\Windows\System32\cscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\accounting for licensing agreements 22786.js"
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE PROPEL~1.JS
C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "PROPEL~1.JS"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
Network
| Country | Destination | Domain | Proto |
| IE | 2.19.176.89:443 | www.bing.com | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | theeventsmagazine.com | udp |
| US | 104.21.90.63:443 | theeventsmagazine.com | tcp |
| US | 8.8.8.8:53 | talentrecap.com | udp |
| DE | 141.193.213.11:443 | talentrecap.com | tcp |
| US | 8.8.8.8:53 | heartifb.com | udp |
| US | 145.223.105.83:443 | heartifb.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\PROPEL~1.JS
| MD5 | 79ccc97d9712d464d234eb26e5ca0d2b |
| SHA1 | 8e9ab18ac85e94d4abd6f8148306c5c808818516 |
| SHA256 | 0694447345db71f736d16a75926e06c4d81f8dada3e24dfead440d5d212f2d56 |
| SHA512 | 6951f1650df7a8ae77c7b89819604856b115b8cfda94dae0ecfc71f7fa9131c5bef6a1c0836e5e35d1e635bc4617e68ef6f1fa1fb9fe4bb342f7cf7c5c005904 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_th15fwbt.nnn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2864-12-0x000001A9F08A0000-0x000001A9F08C2000-memory.dmp
memory/2864-13-0x000001A9F0C60000-0x000001A9F0CA4000-memory.dmp
memory/2864-14-0x000001A9F0D30000-0x000001A9F0DA6000-memory.dmp
memory/2864-15-0x000001A9F0F70000-0x000001A9F0F9A000-memory.dmp
memory/2864-16-0x000001A9F0F70000-0x000001A9F0F94000-memory.dmp