Analysis
-
max time kernel
284s -
max time network
286s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 10:39
Static task
static1
Behavioral task
behavioral1
Sample
pa collective agreement pay 54493.js
Resource
win10v2004-20240611-en
General
-
Target
pa collective agreement pay 54493.js
-
Size
23.2MB
-
MD5
8c9c376750ea3dd04169d1cccd8e7fca
-
SHA1
0bf85b77f8b81624b15c3420ea47118f5c767305
-
SHA256
c3625b94c788ccf7c7de1efb639ac338227b5b6ebb99ca480c25e6e877de2c32
-
SHA512
909ce8e34d73c0d36e1413293e7bf59dbddaa84a575120110a969d8b8e90f14451a46ce2ae561fa84431c7d493ef3b4bca43b83ff565c6ae4a432c5b18ef8953
-
SSDEEP
49152:TXU708dPXWR4ba/JOtdF5pHE2lsfiaahM3o43ORV59VDKtDEXU708dPXWR4ba/JX:vc43m1c43m1c43m1c43m1c43ml
Malware Config
Signatures
-
GootLoader
JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.
-
Blocklisted process makes network request 13 IoCs
Processes:
powershell.exeflow pid process 52 4992 powershell.exe 54 4992 powershell.exe 71 4992 powershell.exe 73 4992 powershell.exe 74 4992 powershell.exe 79 4992 powershell.exe 82 4992 powershell.exe 85 4992 powershell.exe 88 4992 powershell.exe 91 4992 powershell.exe 92 4992 powershell.exe 93 4992 powershell.exe 94 4992 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation wscript.EXE -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepid process 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4992 powershell.exe Token: SeIncreaseQuotaPrivilege 4992 powershell.exe Token: SeSecurityPrivilege 4992 powershell.exe Token: SeTakeOwnershipPrivilege 4992 powershell.exe Token: SeLoadDriverPrivilege 4992 powershell.exe Token: SeSystemProfilePrivilege 4992 powershell.exe Token: SeSystemtimePrivilege 4992 powershell.exe Token: SeProfSingleProcessPrivilege 4992 powershell.exe Token: SeIncBasePriorityPrivilege 4992 powershell.exe Token: SeCreatePagefilePrivilege 4992 powershell.exe Token: SeBackupPrivilege 4992 powershell.exe Token: SeRestorePrivilege 4992 powershell.exe Token: SeShutdownPrivilege 4992 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeSystemEnvironmentPrivilege 4992 powershell.exe Token: SeRemoteShutdownPrivilege 4992 powershell.exe Token: SeUndockPrivilege 4992 powershell.exe Token: SeManageVolumePrivilege 4992 powershell.exe Token: 33 4992 powershell.exe Token: 34 4992 powershell.exe Token: 35 4992 powershell.exe Token: 36 4992 powershell.exe Token: SeIncreaseQuotaPrivilege 4992 powershell.exe Token: SeSecurityPrivilege 4992 powershell.exe Token: SeTakeOwnershipPrivilege 4992 powershell.exe Token: SeLoadDriverPrivilege 4992 powershell.exe Token: SeSystemProfilePrivilege 4992 powershell.exe Token: SeSystemtimePrivilege 4992 powershell.exe Token: SeProfSingleProcessPrivilege 4992 powershell.exe Token: SeIncBasePriorityPrivilege 4992 powershell.exe Token: SeCreatePagefilePrivilege 4992 powershell.exe Token: SeBackupPrivilege 4992 powershell.exe Token: SeRestorePrivilege 4992 powershell.exe Token: SeShutdownPrivilege 4992 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeSystemEnvironmentPrivilege 4992 powershell.exe Token: SeRemoteShutdownPrivilege 4992 powershell.exe Token: SeUndockPrivilege 4992 powershell.exe Token: SeManageVolumePrivilege 4992 powershell.exe Token: 33 4992 powershell.exe Token: 34 4992 powershell.exe Token: 35 4992 powershell.exe Token: 36 4992 powershell.exe Token: SeIncreaseQuotaPrivilege 4992 powershell.exe Token: SeSecurityPrivilege 4992 powershell.exe Token: SeTakeOwnershipPrivilege 4992 powershell.exe Token: SeLoadDriverPrivilege 4992 powershell.exe Token: SeSystemProfilePrivilege 4992 powershell.exe Token: SeSystemtimePrivilege 4992 powershell.exe Token: SeProfSingleProcessPrivilege 4992 powershell.exe Token: SeIncBasePriorityPrivilege 4992 powershell.exe Token: SeCreatePagefilePrivilege 4992 powershell.exe Token: SeBackupPrivilege 4992 powershell.exe Token: SeRestorePrivilege 4992 powershell.exe Token: SeShutdownPrivilege 4992 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeSystemEnvironmentPrivilege 4992 powershell.exe Token: SeRemoteShutdownPrivilege 4992 powershell.exe Token: SeUndockPrivilege 4992 powershell.exe Token: SeManageVolumePrivilege 4992 powershell.exe Token: 33 4992 powershell.exe Token: 34 4992 powershell.exe Token: 35 4992 powershell.exe Token: 36 4992 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.EXEcscript.exedescription pid process target process PID 1236 wrote to memory of 4044 1236 wscript.EXE cscript.exe PID 1236 wrote to memory of 4044 1236 wscript.EXE cscript.exe PID 4044 wrote to memory of 4992 4044 cscript.exe powershell.exe PID 4044 wrote to memory of 4992 4044 cscript.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\pa collective agreement pay 54493.js"1⤵
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE CONVER~1.JS1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "CONVER~1.JS"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3tfxjbof.qtb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Adobe\CONVER~1.JSFilesize
41.7MB
MD5da3b93aaee95831cc07ee1af5f46e118
SHA150b06eca480af7029d839559f02e0c3291f7f8e3
SHA256f60a0dc22615dd2c498524c3c1b3d45a9c149cfe1423a288579cd88bb6b51e4c
SHA512d31b9cda9c27b313fa0b91e7aa1b02165325855cf50c68a0e4b7c80081be84ca9e0e694461e61040c643c174fb6d1ea7f404e0d4d2dfff933b81b74449030a56
-
memory/4992-8-0x000002CA41E60000-0x000002CA41E82000-memory.dmpFilesize
136KB
-
memory/4992-13-0x000002CA42C40000-0x000002CA42C84000-memory.dmpFilesize
272KB
-
memory/4992-14-0x000002CA42D10000-0x000002CA42D86000-memory.dmpFilesize
472KB
-
memory/4992-15-0x000002CA42F70000-0x000002CA42F9A000-memory.dmpFilesize
168KB
-
memory/4992-16-0x000002CA42F70000-0x000002CA42F94000-memory.dmpFilesize
144KB