Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 06:51
Static task
static1
Behavioral task
behavioral1
Sample
ProductDetails21638.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ProductDetails21638.exe
Resource
win10v2004-20220812-en
General
-
Target
ProductDetails21638.exe
-
Size
1.4MB
-
MD5
e8443af1626f6ccdff4e82cfd293f232
-
SHA1
9b6a9922c4f1475bf9bf1dd2f71f88905e4a8d90
-
SHA256
ea6f6d9fab4b60bafdd8730e249d50c7a1851e4a4dedebc779d266502a0f6ead
-
SHA512
0e8d74490b486320fc3ad65e1f10af78a8da7d83170f0b79b8f9b56a74707ea920599467212886acdf09d3e61b805c7e3468ef96ad052b4adbd9706a55b53d62
-
SSDEEP
12288:xnjoVnNCBllTDonWZQzjFeM6DJOjB9sTTHyaTE78+agEWflDY8xulEV0VrB2dfb1:UNclQnYQb6VOWQ77agEilDrxulEVQkp
Malware Config
Extracted
lokibot
http://45.155.165.70/se8se/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
wshrat
http://rze6.sytes.net:4000
Signatures
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 27 4184 wscript.exe 32 4184 wscript.exe 33 4184 wscript.exe 34 4184 wscript.exe 35 4184 wscript.exe 36 4184 wscript.exe 37 4184 wscript.exe 38 4184 wscript.exe 39 4184 wscript.exe 40 4184 wscript.exe 41 4184 wscript.exe 42 4184 wscript.exe 44 4184 wscript.exe 45 4184 wscript.exe 46 4184 wscript.exe 47 4184 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ProductDetails21638.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ProductDetails21638.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ytdkdurodzdbuild.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ytdkdurodzdbuild.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ProductDetails21638.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ProductDetails21638.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ProductDetails21638.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ProductDetails21638.exe -
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
WScript.exeProductDetails21638.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Utmlnipujo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tovisqmi\\Utmlnipujo.exe\"" ProductDetails21638.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ProductDetails21638.exedescription pid process target process PID 3208 set thread context of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ProductDetails21638.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings ProductDetails21638.exe -
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 33 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 35 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 38 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 41 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 44 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 45 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 47 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 34 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 36 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 37 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 40 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 32 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 39 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 27 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 42 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript HTTP User-Agent header 46 WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/10/2022|JavaScript -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 736 powershell.exe 736 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ProductDetails21638.exepid process 3596 ProductDetails21638.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeProductDetails21638.exeProductDetails21638.exedescription pid process Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 3208 ProductDetails21638.exe Token: SeDebugPrivilege 3596 ProductDetails21638.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ProductDetails21638.exeWScript.exedescription pid process target process PID 3208 wrote to memory of 736 3208 ProductDetails21638.exe powershell.exe PID 3208 wrote to memory of 736 3208 ProductDetails21638.exe powershell.exe PID 3208 wrote to memory of 736 3208 ProductDetails21638.exe powershell.exe PID 3208 wrote to memory of 3856 3208 ProductDetails21638.exe WScript.exe PID 3208 wrote to memory of 3856 3208 ProductDetails21638.exe WScript.exe PID 3208 wrote to memory of 3856 3208 ProductDetails21638.exe WScript.exe PID 3856 wrote to memory of 4184 3856 WScript.exe wscript.exe PID 3856 wrote to memory of 4184 3856 WScript.exe wscript.exe PID 3856 wrote to memory of 4184 3856 WScript.exe wscript.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe PID 3208 wrote to memory of 3596 3208 ProductDetails21638.exe ProductDetails21638.exe -
outlook_office_path 1 IoCs
Processes:
ProductDetails21638.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ProductDetails21638.exe -
outlook_win_path 1 IoCs
Processes:
ProductDetails21638.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ProductDetails21638.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe"C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ytdkdurodzdbuild.js"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Ytdkdurodzdbuild.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exeC:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ytdkdurodzdbuild.jsFilesize
21KB
MD5cbae567eae4873a19dc1d77885e3ea0f
SHA1669b5cce2f71651aac783b714140e20552c244fe
SHA25630e25144d8c3639fad6741c664ce2444076a53176acd50c0760c71c800c05d79
SHA51285a25484308c03b70418a86878c67a0b0689b1c5f55a78e4c835d5ccb3b256b4b53344d97f6779320d6d0ee50077afb9938e95a32b5058a3c4df100db481c4c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ytdkdurodzdbuild.jsFilesize
21KB
MD5cbae567eae4873a19dc1d77885e3ea0f
SHA1669b5cce2f71651aac783b714140e20552c244fe
SHA25630e25144d8c3639fad6741c664ce2444076a53176acd50c0760c71c800c05d79
SHA51285a25484308c03b70418a86878c67a0b0689b1c5f55a78e4c835d5ccb3b256b4b53344d97f6779320d6d0ee50077afb9938e95a32b5058a3c4df100db481c4c9
-
C:\Users\Admin\AppData\Roaming\Ytdkdurodzdbuild.jsFilesize
21KB
MD5cbae567eae4873a19dc1d77885e3ea0f
SHA1669b5cce2f71651aac783b714140e20552c244fe
SHA25630e25144d8c3639fad6741c664ce2444076a53176acd50c0760c71c800c05d79
SHA51285a25484308c03b70418a86878c67a0b0689b1c5f55a78e4c835d5ccb3b256b4b53344d97f6779320d6d0ee50077afb9938e95a32b5058a3c4df100db481c4c9
-
memory/736-137-0x0000000005F60000-0x0000000005FC6000-memory.dmpFilesize
408KB
-
memory/736-134-0x0000000000000000-mapping.dmp
-
memory/736-138-0x0000000005FD0000-0x0000000006036000-memory.dmpFilesize
408KB
-
memory/736-139-0x0000000006610000-0x000000000662E000-memory.dmpFilesize
120KB
-
memory/736-140-0x0000000007D20000-0x000000000839A000-memory.dmpFilesize
6.5MB
-
memory/736-141-0x0000000006A80000-0x0000000006A9A000-memory.dmpFilesize
104KB
-
memory/736-135-0x0000000005030000-0x0000000005066000-memory.dmpFilesize
216KB
-
memory/736-136-0x00000000057C0000-0x0000000005DE8000-memory.dmpFilesize
6.2MB
-
memory/3208-132-0x0000000000E80000-0x0000000000FE4000-memory.dmpFilesize
1.4MB
-
memory/3208-133-0x0000000006D20000-0x0000000006D42000-memory.dmpFilesize
136KB
-
memory/3596-148-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3596-146-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3596-145-0x0000000000000000-mapping.dmp
-
memory/3596-151-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3596-152-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3856-142-0x0000000000000000-mapping.dmp
-
memory/4184-144-0x0000000000000000-mapping.dmp