Overview

overview

8

Static

static

LDPlayer9_...ld.exe

windows7-x64

7

LDPlayer9_...ld.exe

windows10-2004-x64

8

Resubmissions

30/01/2023, 23:01

230130-2zzp1seg4y 8

30/01/2023, 22:54

230130-2vx1madb46 8

Analysis

  • max time kernel
    255s
  • max time network
    273s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2023, 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LDPlayer9_es_2281_Cj0KCQiA8t2eBhDeARIsAAVEga27CI2Y_lOWhKJruTM6Tt539XBBIFXqrs4ULzH29iHDJwilBjaiAkQaApNzEALw_wcB_ld.exe

  • Size

    3.6MB

  • MD5

    90276982cc921f646f74f8310ef8cd6a

  • SHA1

    37d5ff4e70485bbcc6e4ef6fa08d3b7839012d0f

  • SHA256

    08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a

  • SHA512

    bdbdb26aaae5b84e7c8298e5e6033142f872e8f25578274c3a8c8fdc7d1e07033be62760b5230a67696bf9f4d885a7187d17680b271e713f1f1a111fa37edf2c

  • SSDEEP

    49152:KpiUPlcfO74zHK+1ULjFvnxe2T9g4tGOPf28xuYT:KpPNcG74r1ULxvxew9g1op

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 7 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_2281_Cj0KCQiA8t2eBhDeARIsAAVEga27CI2Y_lOWhKJruTM6Tt539XBBIFXqrs4ULzH29iHDJwilBjaiAkQaApNzEALw_wcB_ld.exe
    "C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_2281_Cj0KCQiA8t2eBhDeARIsAAVEga27CI2Y_lOWhKJruTM6Tt539XBBIFXqrs4ULzH29iHDJwilBjaiAkQaApNzEALw_wcB_ld.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnplayer.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnmultiplayer.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5116
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnupdate.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4444
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM bugreport.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\LDPlayer\LDPlayer9\LDPlayer.exe
      "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -downloader -openid=2281 -language=es -path="C:\LDPlayer\LDPlayer9\" -googleid=Cj0KCQiA8t2eBhDeARIsAAVEga27CI2Y_lOWhKJruTM6Tt539XBBIFXqrs4ULzH29iHDJwilBjaiAkQaApNzEALw_wcB -silence
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
        3⤵
        • Kills process with taskkill
        PID:1532
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /F /IM fynews.exe
        3⤵
        • Kills process with taskkill
        PID:2164
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /F /IM ldnews.exe
        3⤵
        • Kills process with taskkill
        PID:992

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LDPlayer\LDPlayer9\LDPlayer.exe
    Filesize

    601.8MB

    MD5

    83a052a5a9de3c30cb8aaaa81685bea7

    SHA1

    07daf5f6f24c624228bf7da6e2e1c93241fe030e

    SHA256

    d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f

    SHA512

    65dc36e77e50b27a9fbfd23623696c8d60ec4b08aef61d19801ff390e676fc40cef4f45c8dd1a744c746e02c4d88052db674d48d8ef8449a263e08f10a1e1545

    Download Submit

  • C:\LDPlayer\LDPlayer9\LDPlayer.exe
    Filesize

    601.8MB

    MD5

    83a052a5a9de3c30cb8aaaa81685bea7

    SHA1

    07daf5f6f24c624228bf7da6e2e1c93241fe030e

    SHA256

    d773c7ca94b97abc9660727ceefcdb8d98f122fe6dd08aca911fd85fe153d25f

    SHA512

    65dc36e77e50b27a9fbfd23623696c8d60ec4b08aef61d19801ff390e676fc40cef4f45c8dd1a744c746e02c4d88052db674d48d8ef8449a263e08f10a1e1545

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • memory/4920-138-0x0000000009B80000-0x0000000009C1C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4920-139-0x0000000009C20000-0x0000000009C86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4920-137-0x0000000008EA0000-0x0000000008F32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4920-136-0x00000000093B0000-0x0000000009954000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4920-141-0x000000000A0D0000-0x000000000A0DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4920-140-0x000000000A1C0000-0x000000000A6EC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4920-135-0x0000000073A00000-0x0000000073A14000-memory.dmp

    Filesize

    80KB

    Download