6cc0505bc3d39f9806d605ba115dd302da1f485554ec44c9c96286f5ea34d909

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05-02-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Srenshare tool/LandSS.exe
Size

2.0MB
MD5

6045504495a95cabe75d0f76f01f505a
SHA1

9110a9336433e8eb218096a80be7253245cf1075
SHA256

0483c0d37efd42d8c95fe962a67103b2d66db38cf0f4e5842ea6686434972cb8
SHA512

fe18cd913811bc716b55a0afb56e5db22d41716972f9a46b845b7b63be0a9559c03af5015b1246b2ff4f744a1939585c60fbfbeecf161e8b28f174be89f9673f
SSDEEP

49152:APEpksGULjU7cAGVRHxOOonAjZPeDaAVDjzP/V/Od:AcpkCfUIvVRjoSZCzVmd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LandSS.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LandSS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LandSS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LandSS.exe

pid process

340 LandSS.exe
340 LandSS.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LandSS.exe

pid process

5088 LandSS.exe
5088 LandSS.exe
5088 LandSS.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LandSS.exe

pid process

5088 LandSS.exe
5088 LandSS.exe
5088 LandSS.exe

pid	process
340	LandSS.exe
340	LandSS.exe

pid	process
5088	LandSS.exe
5088	LandSS.exe
5088	LandSS.exe

pid	process
5088	LandSS.exe
5088	LandSS.exe
5088	LandSS.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

LandSS.exe

description	pid	process	target process
PID 2728 wrote to memory of 340	2728	LandSS.exe	LandSS.exe
PID 2728 wrote to memory of 340	2728	LandSS.exe	LandSS.exe
PID 2728 wrote to memory of 340	2728	LandSS.exe	LandSS.exe
PID 2728 wrote to memory of 5088	2728	LandSS.exe	LandSS.exe
PID 2728 wrote to memory of 5088	2728	LandSS.exe	LandSS.exe
PID 2728 wrote to memory of 5088	2728	LandSS.exe	LandSS.exe

C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe
"C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe
"C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:340

C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe
"C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\ad_770b37a3.trace
Filesize
6KB

MD5
5ecf50d7e0d386f8a773762ae4b9c04b

SHA1
35428051b8dbe83fd622e8a0838c9bab06c93013

SHA256
4c9269a33f34a4d91de81dc73b952bd728304516fd7663f22b05e0d58d593700

SHA512
7ab5f81c825a79659bef4f6d233d1c2b3ba1bd8817cfd573b6585c0cb017252cd5b24df62a83e14b11e29ae6cb87815aceed4d7f041c61444d4770ab3bf33b09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\ad_770b37a3.trace
Filesize
6KB

MD5
5ecf50d7e0d386f8a773762ae4b9c04b

SHA1
35428051b8dbe83fd622e8a0838c9bab06c93013

SHA256
4c9269a33f34a4d91de81dc73b952bd728304516fd7663f22b05e0d58d593700

SHA512
7ab5f81c825a79659bef4f6d233d1c2b3ba1bd8817cfd573b6585c0cb017252cd5b24df62a83e14b11e29ae6cb87815aceed4d7f041c61444d4770ab3bf33b09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\service.conf
Filesize
2KB

MD5
64f2122170cdc39121fd3da52c1603b4

SHA1
f7302ff3154c1efb63eaf025737563f575590bb8

SHA256
30a63b2d89c21751f58a9c045b2b740b2eb55b524a7673f24eaf862fb5a66fec

SHA512
7b97f2542bceca8f6769e827b59156172f8c70acb6b98f51c873cb573d9c18eb96d338809dfe7bbce87af9a20918c18edf626d158d35af5b8b3a98c2e8be6606

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\system.conf
Filesize
105B

MD5
3b0046710a4fed609005dae07d6781a3

SHA1
510b3c134bd83e5146022adf4e3297760aded0b6

SHA256
fa927e73ad3da7c80411b068c27ae29f6c9db81b54906bac4d92e0169b5da35b

SHA512
1885cff0a27be9ef7ce62aeef8bb869d26868eaa45b2a84fd5af1ed6fdf1dd64640530da2b80a4b6c81dce2cafcd50ab00ded0563410a8ee2bab5025751344e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\system.conf
Filesize
113B

MD5
b91f5309deff9ed4c6ad2ed8e2d482db

SHA1
0e46c97b30db71ba76c1acbcfb4fee8ecb47dac8

SHA256
3e0f8227f5300e02e831993b90858c5121022a0cee6d989881a7ec37918d35ff

SHA512
245749174304ab67631e277a8331d32a6d4255b724fce233c53dd21f5cf7ad21fdaa1442a3f63b2a14a1e7144a49cf63f9175512905086c5e53f2ba4c890253b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\user.conf
Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
memory/340-184-0x0000000000000000-mapping.dmp

Download
memory/340-207-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/340-326-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/2728-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-152-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-122-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-132-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/2728-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-140-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-141-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-143-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-153-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-154-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-157-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/2728-159-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-160-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-161-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-162-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-163-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-164-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-165-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-166-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-167-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-168-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-169-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-170-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-171-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-172-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-174-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-173-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-175-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-176-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-177-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-178-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-179-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-316-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/2728-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/5088-187-0x0000000000000000-mapping.dmp

Download
memory/5088-212-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/5088-327-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download