Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 14:19
General
-
Target
lidan.exe
-
Size
124KB
-
MD5
2e1ed9a6411f5457e15eb9962d9badc3
-
SHA1
bf803cfd24fe8e890e2bf420a9e27567b878f000
-
SHA256
97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea
-
SHA512
b9d3be71b33b9eea68dd7274e7cb587fa5d59c073f134db147a7d74c357d8f5037a75cfa086c838129ec88a3961061f1e8d95ba00d63ceca5db79674df8cf917
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lidan.exe"C:\Users\Admin\AppData\Local\Temp\lidan.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lidan.exe"C:\Users\Admin\AppData\Local\Temp\lidan.exe" -u2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c11b80b635ddc0addd834d6981aa5ee5
SHA18ca53e119c4e92b02aec44531875933f0d3b5610
SHA256d16bbd109119e5a0b9da55bb48cdfc500a44b7414ead47b27c4eff64fe7f5fd4
SHA512f3d8509651d32463b4ca3cf39e18f8b6d20365c7cd52da692be1a295039869e03ca1e431dda3e8f21e6d1e50b2f9c008c33e2fcfe24dde70e1290a5eb7d44ce3