Analysis
-
max time kernel
281s -
max time network
286s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
pa collective agreement pay 65328.js
Resource
win10v2004-20240508-en
General
-
Target
pa collective agreement pay 65328.js
-
Size
27.8MB
-
MD5
2a6f1d027b45097b6a909d40151327c9
-
SHA1
9eec6fd29b10da65c87643b7e1d1ce7c4cb50a96
-
SHA256
1c2ba1ce390b721a5b27b18e39f3ea6c14f3b6656a4a9e9fc29c8716b9f3467b
-
SHA512
5abf113d764629ff2285ae3651fe804040e7a00bdd034f8b87ec3bd578a6a93591d041bbe8bdb9f6b55e6854281cae640ef11ad49abaa50d36eb756a9df8bfcb
-
SSDEEP
98304:31c43mp1c43mp1c43mp1c43mp1c43mp1c43ml:L
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 40 3664 powershell.exe 53 3664 powershell.exe 56 3664 powershell.exe 58 3664 powershell.exe 60 3664 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepid process 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3664 powershell.exe Token: SeIncreaseQuotaPrivilege 3664 powershell.exe Token: SeSecurityPrivilege 3664 powershell.exe Token: SeTakeOwnershipPrivilege 3664 powershell.exe Token: SeLoadDriverPrivilege 3664 powershell.exe Token: SeSystemProfilePrivilege 3664 powershell.exe Token: SeSystemtimePrivilege 3664 powershell.exe Token: SeProfSingleProcessPrivilege 3664 powershell.exe Token: SeIncBasePriorityPrivilege 3664 powershell.exe Token: SeCreatePagefilePrivilege 3664 powershell.exe Token: SeBackupPrivilege 3664 powershell.exe Token: SeRestorePrivilege 3664 powershell.exe Token: SeShutdownPrivilege 3664 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeSystemEnvironmentPrivilege 3664 powershell.exe Token: SeRemoteShutdownPrivilege 3664 powershell.exe Token: SeUndockPrivilege 3664 powershell.exe Token: SeManageVolumePrivilege 3664 powershell.exe Token: 33 3664 powershell.exe Token: 34 3664 powershell.exe Token: 35 3664 powershell.exe Token: 36 3664 powershell.exe Token: SeIncreaseQuotaPrivilege 3664 powershell.exe Token: SeSecurityPrivilege 3664 powershell.exe Token: SeTakeOwnershipPrivilege 3664 powershell.exe Token: SeLoadDriverPrivilege 3664 powershell.exe Token: SeSystemProfilePrivilege 3664 powershell.exe Token: SeSystemtimePrivilege 3664 powershell.exe Token: SeProfSingleProcessPrivilege 3664 powershell.exe Token: SeIncBasePriorityPrivilege 3664 powershell.exe Token: SeCreatePagefilePrivilege 3664 powershell.exe Token: SeBackupPrivilege 3664 powershell.exe Token: SeRestorePrivilege 3664 powershell.exe Token: SeShutdownPrivilege 3664 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeSystemEnvironmentPrivilege 3664 powershell.exe Token: SeRemoteShutdownPrivilege 3664 powershell.exe Token: SeUndockPrivilege 3664 powershell.exe Token: SeManageVolumePrivilege 3664 powershell.exe Token: 33 3664 powershell.exe Token: 34 3664 powershell.exe Token: 35 3664 powershell.exe Token: 36 3664 powershell.exe Token: SeIncreaseQuotaPrivilege 3664 powershell.exe Token: SeSecurityPrivilege 3664 powershell.exe Token: SeTakeOwnershipPrivilege 3664 powershell.exe Token: SeLoadDriverPrivilege 3664 powershell.exe Token: SeSystemProfilePrivilege 3664 powershell.exe Token: SeSystemtimePrivilege 3664 powershell.exe Token: SeProfSingleProcessPrivilege 3664 powershell.exe Token: SeIncBasePriorityPrivilege 3664 powershell.exe Token: SeCreatePagefilePrivilege 3664 powershell.exe Token: SeBackupPrivilege 3664 powershell.exe Token: SeRestorePrivilege 3664 powershell.exe Token: SeShutdownPrivilege 3664 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeSystemEnvironmentPrivilege 3664 powershell.exe Token: SeRemoteShutdownPrivilege 3664 powershell.exe Token: SeUndockPrivilege 3664 powershell.exe Token: SeManageVolumePrivilege 3664 powershell.exe Token: 33 3664 powershell.exe Token: 34 3664 powershell.exe Token: 35 3664 powershell.exe Token: 36 3664 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 3700 wrote to memory of 3200 3700 wscript.EXE cscript.exe PID 3700 wrote to memory of 3200 3700 wscript.EXE cscript.exe PID 3200 wrote to memory of 3664 3200 cscript.exe powershell.exe PID 3200 wrote to memory of 3664 3200 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 65328.js"1⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE LISTEN~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "LISTEN~1.JS"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xoplqofk.i50.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Adobe\LISTEN~1.JSFilesize
44.9MB
MD5192585210c9abead3329103e2d938d7d
SHA13afabd47d958a6ec47d422f6a74d483d4f8a7209
SHA256d7aae5594e04391bc2fa1e77e122df64e06d39b4cc664f501710f23aac61c439
SHA512604a91e090d5f07cc7701dd54eff7ea13bbd3c3537f69381980a8ee12da8b5f0a8cab7913b19d136696ad00caeeb7c726a72d3cace1c2e8e27fbda412369f4ba
-
memory/3664-8-0x000001D2ABFA0000-0x000001D2ABFC2000-memory.dmpFilesize
136KB
-
memory/3664-13-0x000001D2C68D0000-0x000001D2C6914000-memory.dmpFilesize
272KB
-
memory/3664-14-0x000001D2C6BA0000-0x000001D2C6C16000-memory.dmpFilesize
472KB
-
memory/3664-15-0x000001D2C6DD0000-0x000001D2C6DFA000-memory.dmpFilesize
168KB
-
memory/3664-16-0x000001D2C6DD0000-0x000001D2C6DF4000-memory.dmpFilesize
144KB