6cc0505bc3d39f9806d605ba115dd302da1f485554ec44c9c96286f5ea34d909

Analysis

max time kernel
120s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Srenshare tool/LandSS.exe
Size

2.0MB
MD5

6045504495a95cabe75d0f76f01f505a
SHA1

9110a9336433e8eb218096a80be7253245cf1075
SHA256

0483c0d37efd42d8c95fe962a67103b2d66db38cf0f4e5842ea6686434972cb8
SHA512

fe18cd913811bc716b55a0afb56e5db22d41716972f9a46b845b7b63be0a9559c03af5015b1246b2ff4f744a1939585c60fbfbeecf161e8b28f174be89f9673f
SSDEEP

49152:APEpksGULjU7cAGVRHxOOonAjZPeDaAVDjzP/V/Od:AcpkCfUIvVRjoSZCzVmd

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LandSS.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LandSS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	LandSS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LandSS.exe

pid process

1396 LandSS.exe
1396 LandSS.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LandSS.exe

pid process

4696 LandSS.exe
4696 LandSS.exe
4696 LandSS.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LandSS.exe

pid process

4696 LandSS.exe
4696 LandSS.exe
4696 LandSS.exe

pid	process
1396	LandSS.exe
1396	LandSS.exe

pid	process
4696	LandSS.exe
4696	LandSS.exe
4696	LandSS.exe

pid	process
4696	LandSS.exe
4696	LandSS.exe
4696	LandSS.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

LandSS.exe

description	pid	process	target process
PID 836 wrote to memory of 1396	836	LandSS.exe	LandSS.exe
PID 836 wrote to memory of 1396	836	LandSS.exe	LandSS.exe
PID 836 wrote to memory of 1396	836	LandSS.exe	LandSS.exe
PID 836 wrote to memory of 4696	836	LandSS.exe	LandSS.exe
PID 836 wrote to memory of 4696	836	LandSS.exe	LandSS.exe
PID 836 wrote to memory of 4696	836	LandSS.exe	LandSS.exe

C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe
"C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe
  "C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe
  "C:\Users\Admin\AppData\Local\Temp\Srenshare tool\LandSS.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\ad_770b37a3.trace

Filesize
4KB

MD5
224996e9b9c7ecfcf58bb668019d2492

SHA1
812a7a2bff7d7138b4e378644f93e557f705a5f5

SHA256
676f57fe0057bf395b05855ca2a9e61dff9d995f37f7f553e98200b2be0408fc

SHA512
dbd4616538345fe0d1d54fe8ab9b86dee78a8a18f57af2b359104ff7593d2b0fe2b1a946374aa70ea08e11aab3287d5c28072d1ba5d6d95e90696f7acdf071a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\ad_770b37a3.trace

Filesize
6KB

MD5
76ceb4599c3b5512a4d5511fb2a958dd

SHA1
fa566956a648cfd2d1a0a59ea0de8952d99af03e

SHA256
9c238c54572e3272a7765320dc4e7b4e56db0bca921d1f7d1174edfc7a5ecc78

SHA512
c80c2ff113a791e722f4caa0643f25a7bed969305ee9007fc54836b1fd8740c327a3dac93f1d886f0002d806c562f812ea0220d84228010e2ea45165a024e615

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\service.conf

Filesize
2KB

MD5
50147eeca1516756fa27ff49b204f6ab

SHA1
22fffc4fb6cf11e5bea3e1636c500972cb704666

SHA256
688eb835aeb6b6c6887b83da0d42e21d63393f47f2799db6429a779ed5f9a0fb

SHA512
1be0a0a18dba99116db00164f19ea77d17a484c04cdc06a33d231349c224a9dc86999c908c9c46fb9bd649d2eb6afb69bc5406db2a987b4ed450239a89951c12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\system.conf

Filesize
105B

MD5
e29f11d7b378eeb1ba736c950dd00f5c

SHA1
278f415499b9a36576dd0fd94ffc9bc858f24187

SHA256
8f579fe5ec8d32c6e6db4b0e07e7a6219ef886b3e2434894fbb8ad522a8a0891

SHA512
59db83cd2785d350ca3707768abdfe912f3088aa3fa55d1e275526bdf4be22be05dae3fa662437c5e374693bf1c3417c56c7a7b06e5ebf6fcf49e6583e4a154f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\system.conf

Filesize
113B

MD5
3ce4317d6bf7ac8cbe15a040944cb1e7

SHA1
f64b2cf8af896d30b9564652e8cfd3c8ca3f0495

SHA256
10892dc7173a0398500c6c4f8eba2952510cae5564dee7a8dd40ea654fc6ab7b

SHA512
60ab48fc431e0208c2158ff59c923fbc84e2eb475fbfea4b881851e3f43fc890baf86fecbbd3ec12ae1d85b38c1b3538d2f7611c97e666a5fcad385808865edd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad_770b37a3\user.conf

Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
memory/836-132-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/836-133-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/836-147-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/1396-137-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/1396-135-0x0000000000000000-mapping.dmp

Download
memory/1396-148-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/4696-138-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download
memory/4696-136-0x0000000000000000-mapping.dmp

Download
memory/4696-149-0x0000000000E90000-0x0000000001710000-memory.dmp

Filesize
8.5MB

Download