97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea

Resubmissions

23-01-2023 12:43

230123-pycsmsdb84 7

05-07-2022 14:19

220705-rmt9naaaen 10

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
05-07-2022 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lidan.exe
Size

124KB
MD5

2e1ed9a6411f5457e15eb9962d9badc3
SHA1

bf803cfd24fe8e890e2bf420a9e27567b878f000
SHA256

97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea
SHA512

b9d3be71b33b9eea68dd7274e7cb587fa5d59c073f134db147a7d74c357d8f5037a75cfa086c838129ec88a3961061f1e8d95ba00d63ceca5db79674df8cf917

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	612	rundll32.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1980	1460	lidan.exe	28
PID 1460 wrote to memory of 1980	1460	lidan.exe	28
PID 1460 wrote to memory of 1980	1460	lidan.exe	28
PID 1460 wrote to memory of 1980	1460	lidan.exe	28

C:\Users\Admin\AppData\Local\Temp\lidan.exe
"C:\Users\Admin\AppData\Local\Temp\lidan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\lidan.exe
  "C:\Users\Admin\AppData\Local\Temp\lidan.exe" -u
  2⤵
  PID:1980

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
4KB

MD5
1c21e2678e77f433e52ff8d31066e76f

SHA1
717de0a99e8731b5db316fce1085a7e353e962d8

SHA256
ee5d63cace31e5a120f6f9cf122bf8a15e761ac335140331906129523145af04

SHA512
53842499b7ea79ff1f2612947e7787a803f5ec1bb0c873464f6f300211e1ac070c7697d077a45c69d19787a4b771c942ea8a030a4da30577de946bbecc2ed3c1

Download Submit
memory/1460-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download