Overview

overview

10

Static

static

1

LDPlayer9_...ld.exe

windows7-x64

10

LDPlayer9_...ld.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    364s
  • max time network
    358s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2023 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LDPlayer9_es_1009_ld.exe

  • Size

    3.6MB

  • MD5

    90276982cc921f646f74f8310ef8cd6a

  • SHA1

    37d5ff4e70485bbcc6e4ef6fa08d3b7839012d0f

  • SHA256

    08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a

  • SHA512

    bdbdb26aaae5b84e7c8298e5e6033142f872e8f25578274c3a8c8fdc7d1e07033be62760b5230a67696bf9f4d885a7187d17680b271e713f1f1a111fa37edf2c

  • SSDEEP

    49152:KpiUPlcfO74zHK+1ULjFvnxe2T9g4tGOPf28xuYT:KpPNcG74r1ULxvxew9g1op

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 7 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
    "C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnplayer.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnmultiplayer.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM dnupdate.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4780
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM bugreport.exe /T
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\LDPlayer\LDPlayer9\LDPlayer.exe
      "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\" -silence
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
        3⤵
        • Kills process with taskkill
        PID:3356
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /F /IM fynews.exe
        3⤵
        • Kills process with taskkill
        PID:4752
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill" /F /IM ldnews.exe
        3⤵
        • Kills process with taskkill
        PID:2784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\LDPlayer\LDPlayer9\LDPlayer.exe
    Filesize

    596.9MB

    MD5

    70d100f57dc8ff9be6a9e52e2106e5b0

    SHA1

    5fec67edf1636d67c5419d6de42008d60004aa7a

    SHA256

    0394879779f4ccddcd727c4b79e0c2149e0948d10457b425b2217d78912a7d2f

    SHA512

    700bdb5b9825ecefa1067e10c929b9ab713a0f455a24e6d764e3f71a38bc1f2606dac35e44d74cbffacf3e26ea6aac73bcf663122d83e30d6e37822fdb7ebcf0

    Download Submit

  • C:\LDPlayer\LDPlayer9\LDPlayer.exe
    Filesize

    596.9MB

    MD5

    70d100f57dc8ff9be6a9e52e2106e5b0

    SHA1

    5fec67edf1636d67c5419d6de42008d60004aa7a

    SHA256

    0394879779f4ccddcd727c4b79e0c2149e0948d10457b425b2217d78912a7d2f

    SHA512

    700bdb5b9825ecefa1067e10c929b9ab713a0f455a24e6d764e3f71a38bc1f2606dac35e44d74cbffacf3e26ea6aac73bcf663122d83e30d6e37822fdb7ebcf0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll
    Filesize

    62KB

    MD5

    2204cba332566d808353f256bd211595

    SHA1

    8da4d578601335c86a3c0b432d37011da316b6cc

    SHA256

    305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

    SHA512

    ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

    Download Submit

  • memory/3324-153-0x0000000008D70000-0x0000000009314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3324-157-0x0000000008AC0000-0x0000000008B52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3324-161-0x0000000009740000-0x00000000097DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3324-162-0x00000000097E0000-0x0000000009846000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3324-163-0x0000000009D80000-0x000000000A2AC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3324-164-0x00000000060C0000-0x00000000060D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-165-0x0000000002F20000-0x0000000002F2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3324-149-0x00000000737C0000-0x00000000737D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3324-145-0x00000000060C0000-0x00000000060D0000-memory.dmp

    Filesize

    64KB

    Download