a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d

General

Target

a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Size

688KB
MD5

e47e2512aea2a641cf602eef14c49241
SHA1

2144adca01caa914b0f1baa881756afd2fb90681
SHA256

a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d
SHA512

0e3f9c99f8b4b7e3ed5db8ed69d4018bea0fcb76da851288739950cd43b8befc4df097953dddbf27e37702a66be9ef013bc33973d480081d51ed58a625ed6c37
SSDEEP

12288:oztjEp4VmvHUEGSIST8BrPoQeJYIsL+mxaCb:WkdaST6rLnLXB

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1908 cmd.exe
Drops file in Windows directory 1 IoCs

Processes:

a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe

description ioc process

File created C:\WINDOWS\AlinpaySecSvc1.exe a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1908	cmd.exe

description	ioc	process
File created	C:\WINDOWS\AlinpaySecSvc1.exe	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe

Modifies registry class 8 IoCs

Processes:

a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Policies\System	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe

pid	process
1944	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
1944	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1908	1944	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe	cmd.exe
PID 1944 wrote to memory of 1908	1944	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe	cmd.exe
PID 1944 wrote to memory of 1908	1944	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe	cmd.exe
PID 1944 wrote to memory of 1908	1944	a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe	cmd.exe
PID 1908 wrote to memory of 1372	1908	cmd.exe	WScript.exe
PID 1908 wrote to memory of 1372	1908	cmd.exe	WScript.exe
PID 1908 wrote to memory of 1372	1908	cmd.exe	WScript.exe
PID 1908 wrote to memory of 1372	1908	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe
"C:\Users\Admin\AppData\Local\Temp\a384cca4b1f23b5db3bf4af56687e8a25b187bf8196f0fc3a15d9c2f68e93d0d.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\Del.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\delay.vbs"
3⤵
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delay.vbs

Filesize
18B

MD5
5ccc803b59fdbcdea8fd7510e8d0fc04

SHA1
934485e70bf33c0860d346c92f85231be6dbc606

SHA256
56dbbffa3c9452f514e5f85f589cd8ee557ddd79283c3456bb37296c482d4631

SHA512
a0229aba0a6fda2f9edd6c363b5de5eae1da0f3e04b687ac893cc6f01cde7d969799333b576b0277363339906570ef33f30f5b3f6738cf16a5f49316fde9a642

Download Submit
\??\c:\Del.bat

Filesize
163B

MD5
4397f68e3a7f52972fda3616ffe342d1

SHA1
32128755e64655c37e4140619b103d10f7d5b282

SHA256
95ba8eaad5334073c4f004a0efb0d09e93f95c737f1d05b9a6c9c69458ea8713

SHA512
e4c142205193fcc97cc01cf230246d00effd60d6e98855ea5553d28c77a8a8c6c30d43f6879e7a7d08c4bd133ac7131c3797ffedc4025da19af6a32f6a16accd

Download Submit
memory/1372-60-0x0000000000000000-mapping.dmp

Download
memory/1908-56-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1944-55-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1944-57-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads