08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a

Analysis

max time kernel
548s
max time network
476s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-01-2023 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_28623617_ld.exe
Size

3.6MB
MD5

90276982cc921f646f74f8310ef8cd6a
SHA1

37d5ff4e70485bbcc6e4ef6fa08d3b7839012d0f
SHA256

08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a
SHA512

bdbdb26aaae5b84e7c8298e5e6033142f872e8f25578274c3a8c8fdc7d1e07033be62760b5230a67696bf9f4d885a7187d17680b271e713f1f1a111fa37edf2c
SSDEEP

49152:KpiUPlcfO74zHK+1ULjFvnxe2T9g4tGOPf28xuYT:KpPNcG74r1ULxvxew9g1op

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3136	LDPlayer.exe
4840	dnrepairer.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
5100	takeown.exe
1064	icacls.exe
4700	takeown.exe
2140	icacls.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe

Loads dropped DLL 6 IoCs

pid	Process
2748	LDPlayer9_ens_28623617_ld.exe
2748	LDPlayer9_ens_28623617_ld.exe
2748	LDPlayer9_ens_28623617_ld.exe
4840	dnrepairer.exe
4840	dnrepairer.exe
4840	dnrepairer.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5100	takeown.exe
1064	icacls.exe
4700	takeown.exe
2140	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\Ld9BoxSup-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf-PreW10.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI32.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxDDR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\loadall.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxEFI64.fd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTIsoMaker.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0	dnrepairer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 15 IoCs

evasion

pid	Process
3316	taskkill.exe
3788	taskkill.exe
384	taskkill.exe
3960	taskkill.exe
3324	taskkill.exe
4664	taskkill.exe
2004	taskkill.exe
4056	taskkill.exe
1876	taskkill.exe
4228	taskkill.exe
2232	taskkill.exe
1916	taskkill.exe
4072	taskkill.exe
612	taskkill.exe
4932	taskkill.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}	dnrepairer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2748	LDPlayer9_ens_28623617_ld.exe
2748	LDPlayer9_ens_28623617_ld.exe
2748	LDPlayer9_ens_28623617_ld.exe
2748	LDPlayer9_ens_28623617_ld.exe
2748	LDPlayer9_ens_28623617_ld.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe
3136	LDPlayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	LDPlayer9_ens_28623617_ld.exe
Token: SeShutdownPrivilege	2748	LDPlayer9_ens_28623617_ld.exe
Token: SeCreatePagefilePrivilege	2748	LDPlayer9_ens_28623617_ld.exe
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe
Token: SeDebugPrivilege	3136	LDPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3324	2748	LDPlayer9_ens_28623617_ld.exe	67
PID 2748 wrote to memory of 3324	2748	LDPlayer9_ens_28623617_ld.exe	67
PID 2748 wrote to memory of 3324	2748	LDPlayer9_ens_28623617_ld.exe	67
PID 2748 wrote to memory of 4664	2748	LDPlayer9_ens_28623617_ld.exe	70
PID 2748 wrote to memory of 4664	2748	LDPlayer9_ens_28623617_ld.exe	70
PID 2748 wrote to memory of 4664	2748	LDPlayer9_ens_28623617_ld.exe	70
PID 2748 wrote to memory of 3316	2748	LDPlayer9_ens_28623617_ld.exe	72
PID 2748 wrote to memory of 3316	2748	LDPlayer9_ens_28623617_ld.exe	72
PID 2748 wrote to memory of 3316	2748	LDPlayer9_ens_28623617_ld.exe	72
PID 2748 wrote to memory of 2004	2748	LDPlayer9_ens_28623617_ld.exe	74
PID 2748 wrote to memory of 2004	2748	LDPlayer9_ens_28623617_ld.exe	74
PID 2748 wrote to memory of 2004	2748	LDPlayer9_ens_28623617_ld.exe	74
PID 2748 wrote to memory of 3136	2748	LDPlayer9_ens_28623617_ld.exe	76
PID 2748 wrote to memory of 3136	2748	LDPlayer9_ens_28623617_ld.exe	76
PID 2748 wrote to memory of 3136	2748	LDPlayer9_ens_28623617_ld.exe	76
PID 3136 wrote to memory of 1876	3136	LDPlayer.exe	77
PID 3136 wrote to memory of 1876	3136	LDPlayer.exe	77
PID 3136 wrote to memory of 1876	3136	LDPlayer.exe	77
PID 3136 wrote to memory of 4072	3136	LDPlayer.exe	79
PID 3136 wrote to memory of 4072	3136	LDPlayer.exe	79
PID 3136 wrote to memory of 4072	3136	LDPlayer.exe	79
PID 3136 wrote to memory of 4056	3136	LDPlayer.exe	81
PID 3136 wrote to memory of 4056	3136	LDPlayer.exe	81
PID 3136 wrote to memory of 4056	3136	LDPlayer.exe	81
PID 3136 wrote to memory of 4228	3136	LDPlayer.exe	83
PID 3136 wrote to memory of 4228	3136	LDPlayer.exe	83
PID 3136 wrote to memory of 4228	3136	LDPlayer.exe	83
PID 3136 wrote to memory of 612	3136	LDPlayer.exe	85
PID 3136 wrote to memory of 612	3136	LDPlayer.exe	85
PID 3136 wrote to memory of 612	3136	LDPlayer.exe	85
PID 3136 wrote to memory of 2232	3136	LDPlayer.exe	87
PID 3136 wrote to memory of 2232	3136	LDPlayer.exe	87
PID 3136 wrote to memory of 2232	3136	LDPlayer.exe	87
PID 3136 wrote to memory of 3788	3136	LDPlayer.exe	89
PID 3136 wrote to memory of 3788	3136	LDPlayer.exe	89
PID 3136 wrote to memory of 3788	3136	LDPlayer.exe	89
PID 3136 wrote to memory of 4840	3136	LDPlayer.exe	91
PID 3136 wrote to memory of 4840	3136	LDPlayer.exe	91
PID 3136 wrote to memory of 4840	3136	LDPlayer.exe	91
PID 4840 wrote to memory of 4756	4840	dnrepairer.exe	92
PID 4840 wrote to memory of 4756	4840	dnrepairer.exe	92
PID 4840 wrote to memory of 4756	4840	dnrepairer.exe	92
PID 4756 wrote to memory of 2052	4756	net.exe	94
PID 4756 wrote to memory of 2052	4756	net.exe	94
PID 4756 wrote to memory of 2052	4756	net.exe	94
PID 4840 wrote to memory of 1016	4840	dnrepairer.exe	95
PID 4840 wrote to memory of 1016	4840	dnrepairer.exe	95
PID 4840 wrote to memory of 1016	4840	dnrepairer.exe	95
PID 4840 wrote to memory of 3628	4840	dnrepairer.exe	96
PID 4840 wrote to memory of 3628	4840	dnrepairer.exe	96
PID 4840 wrote to memory of 3628	4840	dnrepairer.exe	96
PID 4840 wrote to memory of 2472	4840	dnrepairer.exe	97
PID 4840 wrote to memory of 2472	4840	dnrepairer.exe	97
PID 4840 wrote to memory of 2472	4840	dnrepairer.exe	97
PID 4840 wrote to memory of 3240	4840	dnrepairer.exe	98
PID 4840 wrote to memory of 3240	4840	dnrepairer.exe	98
PID 4840 wrote to memory of 3240	4840	dnrepairer.exe	98
PID 4840 wrote to memory of 968	4840	dnrepairer.exe	99
PID 4840 wrote to memory of 968	4840	dnrepairer.exe	99
PID 4840 wrote to memory of 968	4840	dnrepairer.exe	99
PID 4840 wrote to memory of 812	4840	dnrepairer.exe	100
PID 4840 wrote to memory of 812	4840	dnrepairer.exe	100
PID 4840 wrote to memory of 812	4840	dnrepairer.exe	100
PID 4840 wrote to memory of 2060	4840	dnrepairer.exe	101

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_28623617_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_28623617_ld.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnupdate.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -downloader -openid=28623617 -language=en -path="C:\LDPlayer\LDPlayer9\" -silence
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
    3⤵
    - Kills process with taskkill
    PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM fynews.exe
    3⤵
    - Kills process with taskkill
    PID:4072
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM ldnews.exe
    3⤵
    - Kills process with taskkill
    PID:4056
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM Ld9BoxHeadless.exe /T
    3⤵
    - Kills process with taskkill
    PID:4228
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM Ld9BoxSVC.exe /T
    3⤵
    - Kills process with taskkill
    PID:612
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM Ld9VirtualBox.exe /T
    3⤵
    - Kills process with taskkill
    PID:2232
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM VBoxManage.exe /T
    3⤵
    - Kills process with taskkill
    PID:3788
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=327786
    3⤵
    - Executes dropped EXE
    - Registers COM server for autorun
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        
        PID:2052
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      PID:3628
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4700
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2140
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5100
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1064
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM Ld9BoxHeadless.exe /T
      4⤵
      Kills process with taskkill
      PID:3960
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM Ld9BoxSVC.exe /T
      4⤵
      Kills process with taskkill
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM Ld9VirtualBox.exe /T
      4⤵
      Kills process with taskkill
      PID:384
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM VBoxManage.exe /T
      4⤵
      Kills process with taskkill
      PID:4932
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
601.8MB

MD5
83a052a5a9de3c30cb8aaaa81685bea7

SHA1
07daf5f6f24c624228bf7da6e2e1c93241fe030e

SHA256
d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f

SHA512
65dc36e77e50b27a9fbfd23623696c8d60ec4b08aef61d19801ff390e676fc40cef4f45c8dd1a744c746e02c4d88052db674d48d8ef8449a263e08f10a1e1545

Download Submit
C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
601.8MB

MD5
83a052a5a9de3c30cb8aaaa81685bea7

SHA1
07daf5f6f24c624228bf7da6e2e1c93241fe030e

SHA256
d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f

SHA512
65dc36e77e50b27a9fbfd23623696c8d60ec4b08aef61d19801ff390e676fc40cef4f45c8dd1a744c746e02c4d88052db674d48d8ef8449a263e08f10a1e1545

Download Submit
C:\LDPlayer\LDPlayer9\MSVCP120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
87c905e0b5f4998df3f2329512882697

SHA1
c65dc6d4af0e4f59f29056b0f83151d114942a69

SHA256
9b5a107ca6f10cd3b76f74fe01fe6939ead4c12acf7e71fb516a51c730da463c

SHA512
65f18667ae3241dae505160faba999b20aa8d0ea49e023ab89f6b5c2a0f5bafb70abc33388fa7e349a1d17c34d042504b29244a09e9ea5d84aa59572c20b47c4

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
4b9b35aac99712c7395ae52966346e28

SHA1
ee891041f960acaf79b599f0c335f06f65a19eb4

SHA256
200f78f3f5b5d9ac94e08e37c93f86625a7764a2d561d0601fd2d242a8f1ef2b

SHA512
ad1f7f6d447e91222df1730f131831d106b467e4eb1e73022b3bb07cf93002467142de0df98a9038edced1e204d229db8e9a0182fc5bf1ced4e179df6b810b34

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe

Filesize
41.9MB

MD5
4b9b35aac99712c7395ae52966346e28

SHA1
ee891041f960acaf79b599f0c335f06f65a19eb4

SHA256
200f78f3f5b5d9ac94e08e37c93f86625a7764a2d561d0601fd2d242a8f1ef2b

SHA512
ad1f7f6d447e91222df1730f131831d106b467e4eb1e73022b3bb07cf93002467142de0df98a9038edced1e204d229db8e9a0182fc5bf1ced4e179df6b810b34

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc

Filesize
4.4MB

MD5
dac38380ef92c90110f477824f6d9bbb

SHA1
1c606f0bc1cff53b3c5c41add61cfb81c1dbd452

SHA256
f824d3e9c0826dbfd6d0023e5e1e01fc2356637bf5521a4597ba1b6c928075a4

SHA512
aeed7d1bea6f39dc48208d65fc0d35d93c80fca20f69326a699d2c13079e1b02bf436a251c7aa183071e1e6d7053399793a5b35c4cb3094030ddb04695c5fe8c

Download Submit
C:\LDPlayer\LDPlayer9\system.vmdk

Filesize
180.0MB

MD5
8a952492f27f8e3cc1d55f197923f4f6

SHA1
45aea6e2c78bd250e50644c38e396ca4e36f5b4f

SHA256
a7a98c5713ec3adc81c2deeb7b6d9617c669feb0d2de6edc338049e0554d1787

SHA512
5d544c358785d54d37aac32964eeaa1666843a74230d19eecda32745c2c7a7ba99e6f7a1ba20d68292f4afceedc7433b8b8f8f0f0f82be41a17e022c90d854ea

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config

Filesize
641B

MD5
11b7cd5edba15584980297f06a42a604

SHA1
43930738a78f2c99d8adfb5b54bff513bc626b19

SHA256
ab8405f7ed4a928a446c97c1b885b0eab3ce8b49225def03abd449b7709e7c0e

SHA512
eb6008821ad3f16475090ed1a8bfe532088c39b56281ebb8e08b63c776dbcf7cdb1749e419f7dac097e66c85914fc61a2e0f7e285016b26d2b896337f2030328

Download Submit
\LDPlayer\LDPlayer9\crashreport.dll

Filesize
51KB

MD5
87c905e0b5f4998df3f2329512882697

SHA1
c65dc6d4af0e4f59f29056b0f83151d114942a69

SHA256
9b5a107ca6f10cd3b76f74fe01fe6939ead4c12acf7e71fb516a51c730da463c

SHA512
65f18667ae3241dae505160faba999b20aa8d0ea49e023ab89f6b5c2a0f5bafb70abc33388fa7e349a1d17c34d042504b29244a09e9ea5d84aa59572c20b47c4

Download Submit
\LDPlayer\LDPlayer9\msvcp120.dll

Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
\LDPlayer\LDPlayer9\msvcr120.dll

Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
memory/2748-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-226-0x0000000009B30000-0x0000000009B3A000-memory.dmp

Filesize
40KB

Download
memory/2748-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-152-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-153-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-154-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-157-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-158-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-159-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-160-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-161-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-162-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-163-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-164-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-165-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-166-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-167-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-168-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-169-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-170-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-171-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-172-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-173-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-174-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-175-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-176-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-177-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-178-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-194-0x0000000005D50000-0x0000000005D64000-memory.dmp

Filesize
80KB

Download
memory/2748-196-0x0000000008510000-0x0000000008A0E000-memory.dmp

Filesize
5.0MB

Download
memory/2748-198-0x0000000008010000-0x00000000080A2000-memory.dmp

Filesize
584KB

Download
memory/2748-218-0x0000000008E90000-0x0000000008ED4000-memory.dmp

Filesize
272KB

Download
memory/2748-219-0x0000000008F70000-0x000000000900C000-memory.dmp

Filesize
624KB

Download
memory/2748-220-0x0000000009010000-0x0000000009076000-memory.dmp

Filesize
408KB

Download
memory/2748-221-0x00000000095B0000-0x0000000009ADC000-memory.dmp

Filesize
5.2MB

Download
memory/2748-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-143-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-141-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-140-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-122-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download