Analysis
-
max time kernel
297s -
max time network
287s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
pa collective agreement pay 31201.js
Resource
win10v2004-20240611-en
General
-
Target
pa collective agreement pay 31201.js
-
Size
13.9MB
-
MD5
1c4259062faaac20eb7588c43b41b67a
-
SHA1
9c58d602fd7cbf72ed5e956160e4047d58b98194
-
SHA256
9b2e8b3f7a126a2e0d6bfadf984979189a6510cbfabf4f50f4880d7e4cbea119
-
SHA512
6da1fc9295aa096330bae9ca11f34b29bec0cd3eb1b0f407c9b5230a604ea7673862860462c7ada45a1a777ff662525de6fc0bf9efdef2608929b7dd0d1ee268
-
SSDEEP
49152:/tLF08dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDmtLF08dPXWR4ba/Jw:Zkc43mbkc43mbkc43ml
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 8 IoCs
Processes:
powershell.exeflow pid process 59 1932 powershell.exe 77 1932 powershell.exe 81 1932 powershell.exe 84 1932 powershell.exe 86 1932 powershell.exe 87 1932 powershell.exe 89 1932 powershell.exe 92 1932 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepid process 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe 1932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1932 powershell.exe Token: SeIncreaseQuotaPrivilege 1932 powershell.exe Token: SeSecurityPrivilege 1932 powershell.exe Token: SeTakeOwnershipPrivilege 1932 powershell.exe Token: SeLoadDriverPrivilege 1932 powershell.exe Token: SeSystemProfilePrivilege 1932 powershell.exe Token: SeSystemtimePrivilege 1932 powershell.exe Token: SeProfSingleProcessPrivilege 1932 powershell.exe Token: SeIncBasePriorityPrivilege 1932 powershell.exe Token: SeCreatePagefilePrivilege 1932 powershell.exe Token: SeBackupPrivilege 1932 powershell.exe Token: SeRestorePrivilege 1932 powershell.exe Token: SeShutdownPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeSystemEnvironmentPrivilege 1932 powershell.exe Token: SeRemoteShutdownPrivilege 1932 powershell.exe Token: SeUndockPrivilege 1932 powershell.exe Token: SeManageVolumePrivilege 1932 powershell.exe Token: 33 1932 powershell.exe Token: 34 1932 powershell.exe Token: 35 1932 powershell.exe Token: 36 1932 powershell.exe Token: SeIncreaseQuotaPrivilege 1932 powershell.exe Token: SeSecurityPrivilege 1932 powershell.exe Token: SeTakeOwnershipPrivilege 1932 powershell.exe Token: SeLoadDriverPrivilege 1932 powershell.exe Token: SeSystemProfilePrivilege 1932 powershell.exe Token: SeSystemtimePrivilege 1932 powershell.exe Token: SeProfSingleProcessPrivilege 1932 powershell.exe Token: SeIncBasePriorityPrivilege 1932 powershell.exe Token: SeCreatePagefilePrivilege 1932 powershell.exe Token: SeBackupPrivilege 1932 powershell.exe Token: SeRestorePrivilege 1932 powershell.exe Token: SeShutdownPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeSystemEnvironmentPrivilege 1932 powershell.exe Token: SeRemoteShutdownPrivilege 1932 powershell.exe Token: SeUndockPrivilege 1932 powershell.exe Token: SeManageVolumePrivilege 1932 powershell.exe Token: 33 1932 powershell.exe Token: 34 1932 powershell.exe Token: 35 1932 powershell.exe Token: 36 1932 powershell.exe Token: SeIncreaseQuotaPrivilege 1932 powershell.exe Token: SeSecurityPrivilege 1932 powershell.exe Token: SeTakeOwnershipPrivilege 1932 powershell.exe Token: SeLoadDriverPrivilege 1932 powershell.exe Token: SeSystemProfilePrivilege 1932 powershell.exe Token: SeSystemtimePrivilege 1932 powershell.exe Token: SeProfSingleProcessPrivilege 1932 powershell.exe Token: SeIncBasePriorityPrivilege 1932 powershell.exe Token: SeCreatePagefilePrivilege 1932 powershell.exe Token: SeBackupPrivilege 1932 powershell.exe Token: SeRestorePrivilege 1932 powershell.exe Token: SeShutdownPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeSystemEnvironmentPrivilege 1932 powershell.exe Token: SeRemoteShutdownPrivilege 1932 powershell.exe Token: SeUndockPrivilege 1932 powershell.exe Token: SeManageVolumePrivilege 1932 powershell.exe Token: 33 1932 powershell.exe Token: 34 1932 powershell.exe Token: 35 1932 powershell.exe Token: 36 1932 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 716 wrote to memory of 5060 716 wscript.EXE cscript.exe PID 716 wrote to memory of 5060 716 wscript.EXE cscript.exe PID 5060 wrote to memory of 1932 5060 cscript.exe powershell.exe PID 5060 wrote to memory of 1932 5060 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 31201.js"1⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE EXECUT~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "EXECUT~1.JS"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbqcxsld.drd.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Adobe\EXECUT~1.JSFilesize
42.2MB
MD557c50ff152e84d7a71aa545b75905020
SHA199c4bfe9c10e447b1f48427f6eb58612a458b28a
SHA2566a2dee7f07252f0824e22adf01818b4aaac5efb8214cd1990f0b16b60be8a2bb
SHA51203386c1ef18d0f28f64e36a71b596894d5c217719e7fa23a8bdd1895a310d117cd2ef0ec3a1415dbf246f6cd03b7072f6d487f3297018d36cb5decdd2d70d711
-
memory/1932-3-0x0000013CC3430000-0x0000013CC3452000-memory.dmpFilesize
136KB
-
memory/1932-13-0x0000013CDC860000-0x0000013CDC8A4000-memory.dmpFilesize
272KB
-
memory/1932-14-0x0000013CDC930000-0x0000013CDC9A6000-memory.dmpFilesize
472KB
-
memory/1932-15-0x0000013CDCB60000-0x0000013CDCB8A000-memory.dmpFilesize
168KB
-
memory/1932-16-0x0000013CDCB60000-0x0000013CDCB84000-memory.dmpFilesize
144KB