Overview

overview

8

Static

static

LDPlayer4_...ld.exe

windows7-x64

8

LDPlayer4_...ld.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LDPlayer4_ens_1397_ld.exe

  • Size

    3.2MB

  • MD5

    4d8a60c6e654bd38212cebf3d17e5d38

  • SHA1

    9911ab18310d400ba4698a97c591e3893a7e3400

  • SHA256

    81d727fad8ac4fc925ac7ea6678d1a537269da092a6918d1caaa59cebc81c525

  • SHA512

    cdcf9e75843019a0291af3ee5b1b0aa8fbe655112a7835b8b45331f79ea9a6ec01290e9f523c2b6781cca88006cbfe14bb1076d178f3d49767965924db062d2c

  • SSDEEP

    49152:jXRnyhw3Us74CvY1UjAbDiYppI4ubHDcaR9sXafgkDFMVR9C1UhPJXMK701hOHZJ:jVmZs7y1U8pp/6D4BiCV2Hib

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 7 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LDPlayer4_ens_1397_ld.exe
    "C:\Users\Admin\AppData\Local\Temp\LDPlayer4_ens_1397_ld.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnplayer.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3776
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnmultiplayer.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3444
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnupdate.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4548
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM bugreport.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\LDPlayer\LDPlayer4.0\LDPlayer.exe
      "C:\LDPlayer\LDPlayer4.0\\LDPlayer.exe" -downloader -openid=1397 -language=en -path="C:\LDPlayer\LDPlayer4.0\" -silence
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
        3⤵
        • Kills process with taskkill
        PID:2768
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /F /IM fynews.exe
        3⤵
        • Kills process with taskkill
        PID:4720
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /F /IM ldnews.exe
        3⤵
        • Kills process with taskkill
        PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LDPlayer\LDPlayer4.0\LDPlayer.exe
    Filesize

    469.8MB

    MD5

    dcae786c10e02d832428f3ef16582a7c

    SHA1

    0a31716df4c8a4942a81358e9200bb7e614c0e54

    SHA256

    3720270b1d8aa3a6f25d29de5609280ffc4a9766f368c34d9ea006303fea0d7b

    SHA512

    7a51279e1b92f2e7ef39c5cff67bebf194d4ef3f6eec8186f7fc6c86a58f764f7e4b1c05909057051ff045fdd9e86cff7c315fb75b18b454c51c99e99fcfc4dc

    Download Submit
  • C:\LDPlayer\LDPlayer4.0\LDPlayer.exe
    Filesize

    469.8MB

    MD5

    dcae786c10e02d832428f3ef16582a7c

    SHA1

    0a31716df4c8a4942a81358e9200bb7e614c0e54

    SHA256

    3720270b1d8aa3a6f25d29de5609280ffc4a9766f368c34d9ea006303fea0d7b

    SHA512

    7a51279e1b92f2e7ef39c5cff67bebf194d4ef3f6eec8186f7fc6c86a58f764f7e4b1c05909057051ff045fdd9e86cff7c315fb75b18b454c51c99e99fcfc4dc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit
  • memory/996-151-0x0000000000000000-mapping.dmp
    Download
  • memory/2768-149-0x0000000000000000-mapping.dmp
    Download
  • memory/2828-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3444-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3776-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4440-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4548-144-0x0000000000000000-mapping.dmp
    Download
  • memory/4588-141-0x000000000B370000-0x000000000B37A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4588-140-0x000000000A370000-0x000000000A89C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4588-139-0x0000000009DD0000-0x0000000009E36000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4588-138-0x0000000009D30000-0x0000000009DCC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4588-137-0x0000000008F80000-0x0000000009012000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4588-136-0x0000000009030000-0x00000000095D4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4588-135-0x0000000072E10000-0x0000000072E24000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4720-150-0x0000000000000000-mapping.dmp
    Download