gootloader | 4c39948c9025afcb542a40dcfc81679658c846c888fd06d02d61967845e8fdda

Resubmissions

27-06-2024 13:02

240627-p9v4csserf 10

26-06-2024 14:09

240626-rgg25s1blm 10

Analysis

max time kernel
292s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pa collective agreement pay 64470.js
Size

13.9MB
MD5

1b55002d20f323d7ea0a20e19a3325fa
SHA1

63fbf3fc612072145c58bde5c969e4a4abc0a013
SHA256

4c39948c9025afcb542a40dcfc81679658c846c888fd06d02d61967845e8fdda
SHA512

a98543644b6a008fc07e451b8a540d47a7598e92a931ef6cf3bd348773557dc7562ec9776485b2c401f0ac0eb496d14d60604a0c2755d55a41d56367baa26ecf
SSDEEP

49152:Grp08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDFrp08dPXWR4ba/JOti:bc43mBc43mBc43ml

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow pid process

59 5048 powershell.exe
77 5048 powershell.exe
80 5048 powershell.exe
83 5048 powershell.exe
86 5048 powershell.exe
89 5048 powershell.exe
92 5048 powershell.exe
94 5048 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wscript.EXE
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
59	5048	powershell.exe
77	5048	powershell.exe
80	5048	powershell.exe
83	5048	powershell.exe
86	5048	powershell.exe
89	5048	powershell.exe
92	5048	powershell.exe
94	5048	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	wscript.EXE

Modifies registry class 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exe

pid	process
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	5048	powershell.exe
Token: SeSecurityPrivilege	5048	powershell.exe
Token: SeTakeOwnershipPrivilege	5048	powershell.exe
Token: SeLoadDriverPrivilege	5048	powershell.exe
Token: SeSystemProfilePrivilege	5048	powershell.exe
Token: SeSystemtimePrivilege	5048	powershell.exe
Token: SeProfSingleProcessPrivilege	5048	powershell.exe
Token: SeIncBasePriorityPrivilege	5048	powershell.exe
Token: SeCreatePagefilePrivilege	5048	powershell.exe
Token: SeBackupPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	5048	powershell.exe
Token: SeShutdownPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeSystemEnvironmentPrivilege	5048	powershell.exe
Token: SeRemoteShutdownPrivilege	5048	powershell.exe
Token: SeUndockPrivilege	5048	powershell.exe
Token: SeManageVolumePrivilege	5048	powershell.exe
Token: 33	5048	powershell.exe
Token: 34	5048	powershell.exe
Token: 35	5048	powershell.exe
Token: 36	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	5048	powershell.exe
Token: SeSecurityPrivilege	5048	powershell.exe
Token: SeTakeOwnershipPrivilege	5048	powershell.exe
Token: SeLoadDriverPrivilege	5048	powershell.exe
Token: SeSystemProfilePrivilege	5048	powershell.exe
Token: SeSystemtimePrivilege	5048	powershell.exe
Token: SeProfSingleProcessPrivilege	5048	powershell.exe
Token: SeIncBasePriorityPrivilege	5048	powershell.exe
Token: SeCreatePagefilePrivilege	5048	powershell.exe
Token: SeBackupPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	5048	powershell.exe
Token: SeShutdownPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeSystemEnvironmentPrivilege	5048	powershell.exe
Token: SeRemoteShutdownPrivilege	5048	powershell.exe
Token: SeUndockPrivilege	5048	powershell.exe
Token: SeManageVolumePrivilege	5048	powershell.exe
Token: 33	5048	powershell.exe
Token: 34	5048	powershell.exe
Token: 35	5048	powershell.exe
Token: 36	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	5048	powershell.exe
Token: SeSecurityPrivilege	5048	powershell.exe
Token: SeTakeOwnershipPrivilege	5048	powershell.exe
Token: SeLoadDriverPrivilege	5048	powershell.exe
Token: SeSystemProfilePrivilege	5048	powershell.exe
Token: SeSystemtimePrivilege	5048	powershell.exe
Token: SeProfSingleProcessPrivilege	5048	powershell.exe
Token: SeIncBasePriorityPrivilege	5048	powershell.exe
Token: SeCreatePagefilePrivilege	5048	powershell.exe
Token: SeBackupPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	5048	powershell.exe
Token: SeShutdownPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeSystemEnvironmentPrivilege	5048	powershell.exe
Token: SeRemoteShutdownPrivilege	5048	powershell.exe
Token: SeUndockPrivilege	5048	powershell.exe
Token: SeManageVolumePrivilege	5048	powershell.exe
Token: 33	5048	powershell.exe
Token: 34	5048	powershell.exe
Token: 35	5048	powershell.exe
Token: 36	5048	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	process	target process
PID 1508 wrote to memory of 2568	1508	wscript.EXE	cscript.exe
PID 1508 wrote to memory of 2568	1508	wscript.EXE	cscript.exe
PID 2568 wrote to memory of 5048	2568	cscript.exe	powershell.exe
PID 2568 wrote to memory of 5048	2568	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 64470.js"
1⤵
PID:1340

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE PRIVAT~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "PRIVAT~1.JS"
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvne4eqi.oth.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\PRIVAT~1.JS
Filesize
45.2MB

MD5
e8e1a6158e80626491ee6dc6d7ae1e2b

SHA1
cb6843e0f1bf93f5a7e68abef17d75e13cc4991e

SHA256
6ca56719076da00cb125d4a2cff818f3420f9d34de12267e8cf7b02fd7fd9d4e

SHA512
352e57a10c4fd242a1c4073a196c545d23663f5bfc104421b04abeab6651dbb0aa289ea019e4b6f354d0f061fabbf96c577621ecd2566d5bf769679cdb092d84

Download Submit
memory/5048-5-0x000002592DC90000-0x000002592DCB2000-memory.dmp

Filesize
136KB

Download
memory/5048-13-0x0000025930090000-0x00000259300D4000-memory.dmp

Filesize
272KB

Download
memory/5048-14-0x0000025930360000-0x00000259303D6000-memory.dmp

Filesize
472KB

Download
memory/5048-15-0x00000259305A0000-0x00000259305CA000-memory.dmp

Filesize
168KB

Download
memory/5048-16-0x00000259305A0000-0x00000259305C4000-memory.dmp

Filesize
144KB

Download