97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea

Resubmissions

23-01-2023 12:43

230123-pycsmsdb84 7

05-07-2022 14:19

220705-rmt9naaaen 10

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
05-07-2022 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lidan.exe
Size

124KB
MD5

2e1ed9a6411f5457e15eb9962d9badc3
SHA1

bf803cfd24fe8e890e2bf420a9e27567b878f000
SHA256

97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea
SHA512

b9d3be71b33b9eea68dd7274e7cb587fa5d59c073f134db147a7d74c357d8f5037a75cfa086c838129ec88a3961061f1e8d95ba00d63ceca5db79674df8cf917

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 4364 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lidan.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation lidan.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4364	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	lidan.exe

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

lidan.exe

description	pid	process	target process
PID 2384 wrote to memory of 1084	2384	lidan.exe	lidan.exe
PID 2384 wrote to memory of 1084	2384	lidan.exe	lidan.exe
PID 2384 wrote to memory of 1084	2384	lidan.exe	lidan.exe

C:\Users\Admin\AppData\Local\Temp\lidan.exe
"C:\Users\Admin\AppData\Local\Temp\lidan.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\lidan.exe
"C:\Users\Admin\AppData\Local\Temp\lidan.exe" -u
2⤵
PID:1084

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite.dll
Filesize
4KB

MD5
c11b80b635ddc0addd834d6981aa5ee5

SHA1
8ca53e119c4e92b02aec44531875933f0d3b5610

SHA256
d16bbd109119e5a0b9da55bb48cdfc500a44b7414ead47b27c4eff64fe7f5fd4

SHA512
f3d8509651d32463b4ca3cf39e18f8b6d20365c7cd52da692be1a295039869e03ca1e431dda3e8f21e6d1e50b2f9c008c33e2fcfe24dde70e1290a5eb7d44ce3

Download Submit
memory/1084-130-0x0000000000000000-mapping.dmp

Download