Overview

overview

10

Static

static

lidan.exe

windows7_x64

10

lidan.exe

windows10-2004_x64

10

Resubmissions

23-01-2023 12:43

230123-pycsmsdb84 7

05-07-2022 14:19

220705-rmt9naaaen 10

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    05-07-2022 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lidan.exe

  • Size

    124KB

  • MD5

    2e1ed9a6411f5457e15eb9962d9badc3

  • SHA1

    bf803cfd24fe8e890e2bf420a9e27567b878f000

  • SHA256

    97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea

  • SHA512

    b9d3be71b33b9eea68dd7274e7cb587fa5d59c073f134db147a7d74c357d8f5037a75cfa086c838129ec88a3961061f1e8d95ba00d63ceca5db79674df8cf917

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lidan.exe
    "C:\Users\Admin\AppData\Local\Temp\lidan.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Local\Temp\lidan.exe
      "C:\Users\Admin\AppData\Local\Temp\lidan.exe" -u
      2⤵
        PID:1980
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
      1⤵
      • Process spawned unexpected child process
      PID:1500

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
      Filesize

      4KB

      MD5

      1c21e2678e77f433e52ff8d31066e76f

      SHA1

      717de0a99e8731b5db316fce1085a7e353e962d8

      SHA256

      ee5d63cace31e5a120f6f9cf122bf8a15e761ac335140331906129523145af04

      SHA512

      53842499b7ea79ff1f2612947e7787a803f5ec1bb0c873464f6f300211e1ac070c7697d077a45c69d19787a4b771c942ea8a030a4da30577de946bbecc2ed3c1

      Download Submit
    • memory/1460-54-0x00000000769D1000-0x00000000769D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1980-55-0x0000000000000000-mapping.dmp
      Download