Overview

overview

7

Static

static

lidan.exe

windows7-x64

3

lidan.exe

windows10-2004-x64

7

Resubmissions

23-01-2023 12:43

230123-pycsmsdb84 7

05-07-2022 14:19

220705-rmt9naaaen 10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2023 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lidan.exe

  • Size

    124KB

  • MD5

    2e1ed9a6411f5457e15eb9962d9badc3

  • SHA1

    bf803cfd24fe8e890e2bf420a9e27567b878f000

  • SHA256

    97ead2057976cc989c024fa9ad761549fa57e53b16ca38aeecf3aa70da77c0ea

  • SHA512

    b9d3be71b33b9eea68dd7274e7cb587fa5d59c073f134db147a7d74c357d8f5037a75cfa086c838129ec88a3961061f1e8d95ba00d63ceca5db79674df8cf917

  • SSDEEP

    1536:cqTAZ3SbqVbJhTlNFsV7mt7F/E/8ZhtaOlrttD9zpqN:hu3SuVbblHzcwtaOxttDBpqN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lidan.exe
    "C:\Users\Admin\AppData\Local\Temp\lidan.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\lidan.exe
      "C:\Users\Admin\AppData\Local\Temp\lidan.exe" -u
      2⤵
        PID:4076

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads