Analysis
-
max time kernel
292s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
pa collective agreement pay 64470.js
Resource
win10v2004-20240611-en
General
-
Target
pa collective agreement pay 64470.js
-
Size
13.9MB
-
MD5
1b55002d20f323d7ea0a20e19a3325fa
-
SHA1
63fbf3fc612072145c58bde5c969e4a4abc0a013
-
SHA256
4c39948c9025afcb542a40dcfc81679658c846c888fd06d02d61967845e8fdda
-
SHA512
a98543644b6a008fc07e451b8a540d47a7598e92a931ef6cf3bd348773557dc7562ec9776485b2c401f0ac0eb496d14d60604a0c2755d55a41d56367baa26ecf
-
SSDEEP
49152:Grp08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDFrp08dPXWR4ba/JOti:bc43mBc43mBc43ml
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exeflow pid process 59 5048 powershell.exe 77 5048 powershell.exe 80 5048 powershell.exe 83 5048 powershell.exe 86 5048 powershell.exe 89 5048 powershell.exe 92 5048 powershell.exe 94 5048 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepid process 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 5048 powershell.exe Token: SeIncreaseQuotaPrivilege 5048 powershell.exe Token: SeSecurityPrivilege 5048 powershell.exe Token: SeTakeOwnershipPrivilege 5048 powershell.exe Token: SeLoadDriverPrivilege 5048 powershell.exe Token: SeSystemProfilePrivilege 5048 powershell.exe Token: SeSystemtimePrivilege 5048 powershell.exe Token: SeProfSingleProcessPrivilege 5048 powershell.exe Token: SeIncBasePriorityPrivilege 5048 powershell.exe Token: SeCreatePagefilePrivilege 5048 powershell.exe Token: SeBackupPrivilege 5048 powershell.exe Token: SeRestorePrivilege 5048 powershell.exe Token: SeShutdownPrivilege 5048 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeSystemEnvironmentPrivilege 5048 powershell.exe Token: SeRemoteShutdownPrivilege 5048 powershell.exe Token: SeUndockPrivilege 5048 powershell.exe Token: SeManageVolumePrivilege 5048 powershell.exe Token: 33 5048 powershell.exe Token: 34 5048 powershell.exe Token: 35 5048 powershell.exe Token: 36 5048 powershell.exe Token: SeIncreaseQuotaPrivilege 5048 powershell.exe Token: SeSecurityPrivilege 5048 powershell.exe Token: SeTakeOwnershipPrivilege 5048 powershell.exe Token: SeLoadDriverPrivilege 5048 powershell.exe Token: SeSystemProfilePrivilege 5048 powershell.exe Token: SeSystemtimePrivilege 5048 powershell.exe Token: SeProfSingleProcessPrivilege 5048 powershell.exe Token: SeIncBasePriorityPrivilege 5048 powershell.exe Token: SeCreatePagefilePrivilege 5048 powershell.exe Token: SeBackupPrivilege 5048 powershell.exe Token: SeRestorePrivilege 5048 powershell.exe Token: SeShutdownPrivilege 5048 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeSystemEnvironmentPrivilege 5048 powershell.exe Token: SeRemoteShutdownPrivilege 5048 powershell.exe Token: SeUndockPrivilege 5048 powershell.exe Token: SeManageVolumePrivilege 5048 powershell.exe Token: 33 5048 powershell.exe Token: 34 5048 powershell.exe Token: 35 5048 powershell.exe Token: 36 5048 powershell.exe Token: SeIncreaseQuotaPrivilege 5048 powershell.exe Token: SeSecurityPrivilege 5048 powershell.exe Token: SeTakeOwnershipPrivilege 5048 powershell.exe Token: SeLoadDriverPrivilege 5048 powershell.exe Token: SeSystemProfilePrivilege 5048 powershell.exe Token: SeSystemtimePrivilege 5048 powershell.exe Token: SeProfSingleProcessPrivilege 5048 powershell.exe Token: SeIncBasePriorityPrivilege 5048 powershell.exe Token: SeCreatePagefilePrivilege 5048 powershell.exe Token: SeBackupPrivilege 5048 powershell.exe Token: SeRestorePrivilege 5048 powershell.exe Token: SeShutdownPrivilege 5048 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeSystemEnvironmentPrivilege 5048 powershell.exe Token: SeRemoteShutdownPrivilege 5048 powershell.exe Token: SeUndockPrivilege 5048 powershell.exe Token: SeManageVolumePrivilege 5048 powershell.exe Token: 33 5048 powershell.exe Token: 34 5048 powershell.exe Token: 35 5048 powershell.exe Token: 36 5048 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 1508 wrote to memory of 2568 1508 wscript.EXE cscript.exe PID 1508 wrote to memory of 2568 1508 wscript.EXE cscript.exe PID 2568 wrote to memory of 5048 2568 cscript.exe powershell.exe PID 2568 wrote to memory of 5048 2568 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 64470.js"1⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE PRIVAT~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "PRIVAT~1.JS"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvne4eqi.oth.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\PRIVAT~1.JSFilesize
45.2MB
MD5e8e1a6158e80626491ee6dc6d7ae1e2b
SHA1cb6843e0f1bf93f5a7e68abef17d75e13cc4991e
SHA2566ca56719076da00cb125d4a2cff818f3420f9d34de12267e8cf7b02fd7fd9d4e
SHA512352e57a10c4fd242a1c4073a196c545d23663f5bfc104421b04abeab6651dbb0aa289ea019e4b6f354d0f061fabbf96c577621ecd2566d5bf769679cdb092d84
-
memory/5048-5-0x000002592DC90000-0x000002592DCB2000-memory.dmpFilesize
136KB
-
memory/5048-13-0x0000025930090000-0x00000259300D4000-memory.dmpFilesize
272KB
-
memory/5048-14-0x0000025930360000-0x00000259303D6000-memory.dmpFilesize
472KB
-
memory/5048-15-0x00000259305A0000-0x00000259305CA000-memory.dmpFilesize
168KB
-
memory/5048-16-0x00000259305A0000-0x00000259305C4000-memory.dmpFilesize
144KB