81d727fad8ac4fc925ac7ea6678d1a537269da092a6918d1caaa59cebc81c525

General

Target

LDPlayer4_ens_1397_ld.exe
Size

3.2MB
MD5

4d8a60c6e654bd38212cebf3d17e5d38
SHA1

9911ab18310d400ba4698a97c591e3893a7e3400
SHA256

81d727fad8ac4fc925ac7ea6678d1a537269da092a6918d1caaa59cebc81c525
SHA512

cdcf9e75843019a0291af3ee5b1b0aa8fbe655112a7835b8b45331f79ea9a6ec01290e9f523c2b6781cca88006cbfe14bb1076d178f3d49767965924db062d2c
SSDEEP

49152:jXRnyhw3Us74CvY1UjAbDiYppI4ubHDcaR9sXafgkDFMVR9C1UhPJXMK701hOHZJ:jVmZs7y1U8pp/6D4BiCV2Hib

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

LDPlayer.exe

pid process

1784 LDPlayer.exe
Loads dropped DLL 4 IoCs

Processes:

LDPlayer4_ens_1397_ld.exe

pid process

1756 LDPlayer4_ens_1397_ld.exe
1756 LDPlayer4_ens_1397_ld.exe
1756 LDPlayer4_ens_1397_ld.exe
1756 LDPlayer4_ens_1397_ld.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1660 taskkill.exe
1112 taskkill.exe
1204 taskkill.exe
548 taskkill.exe
1472 taskkill.exe
1952 taskkill.exe
1716 taskkill.exe

pid	process
1784	LDPlayer.exe

pid	process
1660	taskkill.exe
1112	taskkill.exe
1204	taskkill.exe
548	taskkill.exe
1472	taskkill.exe
1952	taskkill.exe
1716	taskkill.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

LDPlayer4_ens_1397_ld.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer4_ens_1397_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer4_ens_1397_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	LDPlayer4_ens_1397_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer4_ens_1397_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer4_ens_1397_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	LDPlayer4_ens_1397_ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	LDPlayer4_ens_1397_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	LDPlayer4_ens_1397_ld.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

LDPlayer4_ens_1397_ld.exeLDPlayer.exe

pid	process
1756	LDPlayer4_ens_1397_ld.exe
1756	LDPlayer4_ens_1397_ld.exe
1756	LDPlayer4_ens_1397_ld.exe
1756	LDPlayer4_ens_1397_ld.exe
1784	LDPlayer.exe
1784	LDPlayer.exe
1784	LDPlayer.exe
1784	LDPlayer.exe
1784	LDPlayer.exe
1784	LDPlayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LDPlayer4_ens_1397_ld.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeLDPlayer.exe

description	pid	process
Token: SeDebugPrivilege	1756	LDPlayer4_ens_1397_ld.exe
Token: SeShutdownPrivilege	1756	LDPlayer4_ens_1397_ld.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeTakeOwnershipPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe
Token: SeDebugPrivilege	1784	LDPlayer.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

LDPlayer4_ens_1397_ld.exeLDPlayer.exe

description	pid	process	target process
PID 1756 wrote to memory of 1472	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1472	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1472	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1472	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1952	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1952	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1952	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1952	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1716	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1716	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1716	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1716	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1660	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1660	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1660	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1660	1756	LDPlayer4_ens_1397_ld.exe	taskkill.exe
PID 1756 wrote to memory of 1784	1756	LDPlayer4_ens_1397_ld.exe	LDPlayer.exe
PID 1756 wrote to memory of 1784	1756	LDPlayer4_ens_1397_ld.exe	LDPlayer.exe
PID 1756 wrote to memory of 1784	1756	LDPlayer4_ens_1397_ld.exe	LDPlayer.exe
PID 1756 wrote to memory of 1784	1756	LDPlayer4_ens_1397_ld.exe	LDPlayer.exe
PID 1784 wrote to memory of 1112	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1112	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1112	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1112	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1204	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1204	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1204	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 1204	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 548	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 548	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 548	1784	LDPlayer.exe	taskkill.exe
PID 1784 wrote to memory of 548	1784	LDPlayer.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\LDPlayer4_ens_1397_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer4_ens_1397_ld.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnupdate.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\LDPlayer\LDPlayer4.0\LDPlayer.exe
"C:\LDPlayer\LDPlayer4.0\\LDPlayer.exe" -downloader -openid=1397 -language=en -path="C:\LDPlayer\LDPlayer4.0\" -silence
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
3⤵
- Kills process with taskkill
PID:1112

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM fynews.exe
3⤵
- Kills process with taskkill
PID:1204

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM ldnews.exe
3⤵
- Kills process with taskkill
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer4.0\LDPlayer.exe
Filesize
469.8MB

MD5
dcae786c10e02d832428f3ef16582a7c

SHA1
0a31716df4c8a4942a81358e9200bb7e614c0e54

SHA256
3720270b1d8aa3a6f25d29de5609280ffc4a9766f368c34d9ea006303fea0d7b

SHA512
7a51279e1b92f2e7ef39c5cff67bebf194d4ef3f6eec8186f7fc6c86a58f764f7e4b1c05909057051ff045fdd9e86cff7c315fb75b18b454c51c99e99fcfc4dc

Download Submit
\LDPlayer\LDPlayer4.0\LDPlayer.exe
Filesize
469.8MB

MD5
dcae786c10e02d832428f3ef16582a7c

SHA1
0a31716df4c8a4942a81358e9200bb7e614c0e54

SHA256
3720270b1d8aa3a6f25d29de5609280ffc4a9766f368c34d9ea006303fea0d7b

SHA512
7a51279e1b92f2e7ef39c5cff67bebf194d4ef3f6eec8186f7fc6c86a58f764f7e4b1c05909057051ff045fdd9e86cff7c315fb75b18b454c51c99e99fcfc4dc

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup\ds.dll
Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
memory/548-71-0x0000000000000000-mapping.dmp

Download
memory/1112-69-0x0000000000000000-mapping.dmp

Download
memory/1204-70-0x0000000000000000-mapping.dmp

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download
memory/1660-64-0x0000000000000000-mapping.dmp

Download
memory/1716-63-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000004475000-0x0000000004486000-memory.dmp

Filesize
68KB

Download
memory/1756-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1756-59-0x00000000035E0000-0x0000000003624000-memory.dmp

Filesize
272KB

Download
memory/1756-58-0x0000000002B40000-0x0000000002B54000-memory.dmp

Filesize
80KB

Download
memory/1784-66-0x0000000000000000-mapping.dmp

Download
memory/1952-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads