08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a

Analysis

max time kernel
106s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
Size

3.6MB
MD5

90276982cc921f646f74f8310ef8cd6a
SHA1

37d5ff4e70485bbcc6e4ef6fa08d3b7839012d0f
SHA256

08fee35f2462f93c96751755ff42f2f63525ad04e21543efe52a159c800ab80a
SHA512

bdbdb26aaae5b84e7c8298e5e6033142f872e8f25578274c3a8c8fdc7d1e07033be62760b5230a67696bf9f4d885a7187d17680b271e713f1f1a111fa37edf2c
SSDEEP

49152:KpiUPlcfO74zHK+1ULjFvnxe2T9g4tGOPf28xuYT:KpPNcG74r1ULxvxew9g1op

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	LDPlayer.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	LDPlayer.exe

Loads dropped DLL 3 IoCs

pid	Process
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
4152	taskkill.exe
4048	taskkill.exe
3712	taskkill.exe
1540	taskkill.exe
4784	taskkill.exe
4092	taskkill.exe
2100	taskkill.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe
1316	LDPlayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
Token: SeShutdownPrivilege	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
Token: SeCreatePagefilePrivilege	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe
Token: SeDebugPrivilege	1316	LDPlayer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1540	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	95
PID 2584 wrote to memory of 1540	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	95
PID 2584 wrote to memory of 1540	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	95
PID 2584 wrote to memory of 4784	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	97
PID 2584 wrote to memory of 4784	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	97
PID 2584 wrote to memory of 4784	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	97
PID 2584 wrote to memory of 4092	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	99
PID 2584 wrote to memory of 4092	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	99
PID 2584 wrote to memory of 4092	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	99
PID 2584 wrote to memory of 2100	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	101
PID 2584 wrote to memory of 2100	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	101
PID 2584 wrote to memory of 2100	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	101
PID 2584 wrote to memory of 1316	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	103
PID 2584 wrote to memory of 1316	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	103
PID 2584 wrote to memory of 1316	2584	LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe	103
PID 1316 wrote to memory of 4152	1316	LDPlayer.exe	104
PID 1316 wrote to memory of 4152	1316	LDPlayer.exe	104
PID 1316 wrote to memory of 4152	1316	LDPlayer.exe	104
PID 1316 wrote to memory of 4048	1316	LDPlayer.exe	106
PID 1316 wrote to memory of 4048	1316	LDPlayer.exe	106
PID 1316 wrote to memory of 4048	1316	LDPlayer.exe	106
PID 1316 wrote to memory of 3712	1316	LDPlayer.exe	108
PID 1316 wrote to memory of 3712	1316	LDPlayer.exe	108
PID 1316 wrote to memory of 3712	1316	LDPlayer.exe	108

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.andreiboyy.fortnitecoin_3040_ld.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnupdate.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -downloader -openid=3040 -language=en -path="C:\LDPlayer\LDPlayer9\" -silence
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
    3⤵
    - Kills process with taskkill
    PID:4152
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM fynews.exe
    3⤵
    - Kills process with taskkill
    PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM ldnews.exe
    3⤵
    - Kills process with taskkill
    PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
410.6MB

MD5
1f0321a35d2c3038a2c6d84a17583399

SHA1
2962fa7b8c31a3f02a10633053bf88e1ca5b3286

SHA256
5b1a39d431a6359228995b63bd30d9785d0fbd4598e2431e908fe0cbc7c34e10

SHA512
03e2e20f079807c2acc50172fdeb21277e75fce00b30256c15809fb2a7c46d4d9cedda49f02b024a427b3d9fd3d2950297af42a08237d4440db4ade04b0d98ea

Download Submit
C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
419.6MB

MD5
e21ad05bb216a7eddf57d31e51ed761d

SHA1
d195bfebdcdc1da4b86cae72c0bfa8a66c30ef18

SHA256
0e75e33ef223b66a082b72bfc0011d53e089ff764c96363bd03b0d93e1e853a3

SHA512
1a9ac619936ab9238aa9c4e2a13c414d0a55e1fa93308752dab527ea7d0de1c6961597d8ffdffa0be250d1320b1d0a6a16c93cedda2b49abde6bc8d88d381d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\ds.dll

Filesize
62KB

MD5
2204cba332566d808353f256bd211595

SHA1
8da4d578601335c86a3c0b432d37011da316b6cc

SHA256
305c66014595e119140102a83fde0928b46902f7b5bd358cbfaf06145964ca3e

SHA512
ab58f9a6b6171a87eddddcfd11b49708269f33ab0f9f8406202eedb21c873aa2a38234f51f0b073ea84f7a182aff82b8e0596fb61400ffbc8d873fed7475fe7a

Download Submit
memory/2584-159-0x0000000008910000-0x00000000089A2000-memory.dmp

Filesize
584KB

Download
memory/2584-160-0x0000000005F80000-0x0000000005F90000-memory.dmp

Filesize
64KB

Download
memory/2584-161-0x00000000095D0000-0x000000000966C000-memory.dmp

Filesize
624KB

Download
memory/2584-162-0x0000000009670000-0x00000000096D6000-memory.dmp

Filesize
408KB

Download
memory/2584-163-0x0000000009C10000-0x000000000A13C000-memory.dmp

Filesize
5.2MB

Download
memory/2584-164-0x0000000005F80000-0x0000000005F90000-memory.dmp

Filesize
64KB

Download
memory/2584-165-0x0000000009BF0000-0x0000000009BFA000-memory.dmp

Filesize
40KB

Download
memory/2584-158-0x0000000008F20000-0x00000000094C4000-memory.dmp

Filesize
5.6MB

Download
memory/2584-148-0x0000000072F20000-0x0000000072F34000-memory.dmp

Filesize
80KB

Download