gootloader | 1c2ba1ce390b721a5b27b18e39f3ea6c14f3b6656a4a9e9fc29c8716b9f3467b

Analysis

max time kernel
281s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pa collective agreement pay 65328.js
Size

27.8MB
MD5

2a6f1d027b45097b6a909d40151327c9
SHA1

9eec6fd29b10da65c87643b7e1d1ce7c4cb50a96
SHA256

1c2ba1ce390b721a5b27b18e39f3ea6c14f3b6656a4a9e9fc29c8716b9f3467b
SHA512

5abf113d764629ff2285ae3651fe804040e7a00bdd034f8b87ec3bd578a6a93591d041bbe8bdb9f6b55e6854281cae640ef11ad49abaa50d36eb756a9df8bfcb
SSDEEP

98304:31c43mp1c43mp1c43mp1c43mp1c43mp1c43ml:L

Score

10^/10

gootloader execution loader

Malware Config

Signatures

GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
loader gootloader
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

40 3664 powershell.exe
53 3664 powershell.exe
56 3664 powershell.exe
58 3664 powershell.exe
60 3664 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation wscript.EXE
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
40	3664	powershell.exe
53	3664	powershell.exe
56	3664	powershell.exe
58	3664	powershell.exe
60	3664	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	wscript.EXE

Modifies registry class 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exe

pid	process
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe
Token: SeSystemProfilePrivilege	3664	powershell.exe
Token: SeSystemtimePrivilege	3664	powershell.exe
Token: SeProfSingleProcessPrivilege	3664	powershell.exe
Token: SeIncBasePriorityPrivilege	3664	powershell.exe
Token: SeCreatePagefilePrivilege	3664	powershell.exe
Token: SeBackupPrivilege	3664	powershell.exe
Token: SeRestorePrivilege	3664	powershell.exe
Token: SeShutdownPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeSystemEnvironmentPrivilege	3664	powershell.exe
Token: SeRemoteShutdownPrivilege	3664	powershell.exe
Token: SeUndockPrivilege	3664	powershell.exe
Token: SeManageVolumePrivilege	3664	powershell.exe
Token: 33	3664	powershell.exe
Token: 34	3664	powershell.exe
Token: 35	3664	powershell.exe
Token: 36	3664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe
Token: SeSystemProfilePrivilege	3664	powershell.exe
Token: SeSystemtimePrivilege	3664	powershell.exe
Token: SeProfSingleProcessPrivilege	3664	powershell.exe
Token: SeIncBasePriorityPrivilege	3664	powershell.exe
Token: SeCreatePagefilePrivilege	3664	powershell.exe
Token: SeBackupPrivilege	3664	powershell.exe
Token: SeRestorePrivilege	3664	powershell.exe
Token: SeShutdownPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeSystemEnvironmentPrivilege	3664	powershell.exe
Token: SeRemoteShutdownPrivilege	3664	powershell.exe
Token: SeUndockPrivilege	3664	powershell.exe
Token: SeManageVolumePrivilege	3664	powershell.exe
Token: 33	3664	powershell.exe
Token: 34	3664	powershell.exe
Token: 35	3664	powershell.exe
Token: 36	3664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe
Token: SeSystemProfilePrivilege	3664	powershell.exe
Token: SeSystemtimePrivilege	3664	powershell.exe
Token: SeProfSingleProcessPrivilege	3664	powershell.exe
Token: SeIncBasePriorityPrivilege	3664	powershell.exe
Token: SeCreatePagefilePrivilege	3664	powershell.exe
Token: SeBackupPrivilege	3664	powershell.exe
Token: SeRestorePrivilege	3664	powershell.exe
Token: SeShutdownPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeSystemEnvironmentPrivilege	3664	powershell.exe
Token: SeRemoteShutdownPrivilege	3664	powershell.exe
Token: SeUndockPrivilege	3664	powershell.exe
Token: SeManageVolumePrivilege	3664	powershell.exe
Token: 33	3664	powershell.exe
Token: 34	3664	powershell.exe
Token: 35	3664	powershell.exe
Token: 36	3664	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

wscript.EXEcscript.exe

description	pid	process	target process
PID 3700 wrote to memory of 3200	3700	wscript.EXE	cscript.exe
PID 3700 wrote to memory of 3200	3700	wscript.EXE	cscript.exe
PID 3200 wrote to memory of 3664	3200	cscript.exe	powershell.exe
PID 3200 wrote to memory of 3664	3200	cscript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 65328.js"
1⤵
PID:916

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE LISTEN~1.JS
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\System32\cscript.exe
"C:\Windows\System32\cscript.exe" "LISTEN~1.JS"
2⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xoplqofk.i50.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\LISTEN~1.JS
Filesize
44.9MB

MD5
192585210c9abead3329103e2d938d7d

SHA1
3afabd47d958a6ec47d422f6a74d483d4f8a7209

SHA256
d7aae5594e04391bc2fa1e77e122df64e06d39b4cc664f501710f23aac61c439

SHA512
604a91e090d5f07cc7701dd54eff7ea13bbd3c3537f69381980a8ee12da8b5f0a8cab7913b19d136696ad00caeeb7c726a72d3cace1c2e8e27fbda412369f4ba

Download Submit
memory/3664-8-0x000001D2ABFA0000-0x000001D2ABFC2000-memory.dmp

Filesize
136KB

Download
memory/3664-13-0x000001D2C68D0000-0x000001D2C6914000-memory.dmp

Filesize
272KB

Download
memory/3664-14-0x000001D2C6BA0000-0x000001D2C6C16000-memory.dmp

Filesize
472KB

Download
memory/3664-15-0x000001D2C6DD0000-0x000001D2C6DFA000-memory.dmp

Filesize
168KB

Download
memory/3664-16-0x000001D2C6DD0000-0x000001D2C6DF4000-memory.dmp

Filesize
144KB

Download