9d084dce91f4bcd742f906c94ea2791e7cf0ce0b0b7ef5e4e77fdd677c4dcfc3

Analysis

max time kernel
108s
max time network
88s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/06/2023, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_es_1009_ld.exe
Size

2.9MB
MD5

58c20ae367474645d8aa07c2cda911a1
SHA1

a06bf45bdd0645bedd0c7ce2fcc1bfa901ba3d85
SHA256

9d084dce91f4bcd742f906c94ea2791e7cf0ce0b0b7ef5e4e77fdd677c4dcfc3
SHA512

766a6eab3836ced555552c1fe8dbb8e4cb722202c1767a09fcacc173a17e37c88943a8e8b5883130c5018ddef5a5387840221d33aeba6985b0437b62a333e859
SSDEEP

49152:9Zg3BIpaMOuzULaJ1jqVOOIkx0OcltGbYhtEoO:9+3+pa9uzU81OVOOIk2OcmEh4

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1876	LDPlayer.exe

Loads dropped DLL 1 IoCs

pid	Process
1348	LDPlayer9_es_1009_ld.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 7 IoCs

evasion

pid	Process
1140	taskkill.exe
112	taskkill.exe
320	taskkill.exe
1784	taskkill.exe
1872	taskkill.exe
1412	taskkill.exe
340	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1876	LDPlayer.exe
1876	LDPlayer.exe
1876	LDPlayer.exe
1876	LDPlayer.exe
1876	LDPlayer.exe
1876	LDPlayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeTakeOwnershipPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe
Token: SeDebugPrivilege	1876	LDPlayer.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1784	1348	LDPlayer9_es_1009_ld.exe	29
PID 1348 wrote to memory of 1784	1348	LDPlayer9_es_1009_ld.exe	29
PID 1348 wrote to memory of 1784	1348	LDPlayer9_es_1009_ld.exe	29
PID 1348 wrote to memory of 1784	1348	LDPlayer9_es_1009_ld.exe	29
PID 1348 wrote to memory of 1872	1348	LDPlayer9_es_1009_ld.exe	32
PID 1348 wrote to memory of 1872	1348	LDPlayer9_es_1009_ld.exe	32
PID 1348 wrote to memory of 1872	1348	LDPlayer9_es_1009_ld.exe	32
PID 1348 wrote to memory of 1872	1348	LDPlayer9_es_1009_ld.exe	32
PID 1348 wrote to memory of 1412	1348	LDPlayer9_es_1009_ld.exe	34
PID 1348 wrote to memory of 1412	1348	LDPlayer9_es_1009_ld.exe	34
PID 1348 wrote to memory of 1412	1348	LDPlayer9_es_1009_ld.exe	34
PID 1348 wrote to memory of 1412	1348	LDPlayer9_es_1009_ld.exe	34
PID 1348 wrote to memory of 340	1348	LDPlayer9_es_1009_ld.exe	36
PID 1348 wrote to memory of 340	1348	LDPlayer9_es_1009_ld.exe	36
PID 1348 wrote to memory of 340	1348	LDPlayer9_es_1009_ld.exe	36
PID 1348 wrote to memory of 340	1348	LDPlayer9_es_1009_ld.exe	36
PID 1348 wrote to memory of 1876	1348	LDPlayer9_es_1009_ld.exe	38
PID 1348 wrote to memory of 1876	1348	LDPlayer9_es_1009_ld.exe	38
PID 1348 wrote to memory of 1876	1348	LDPlayer9_es_1009_ld.exe	38
PID 1348 wrote to memory of 1876	1348	LDPlayer9_es_1009_ld.exe	38
PID 1876 wrote to memory of 1140	1876	LDPlayer.exe	39
PID 1876 wrote to memory of 1140	1876	LDPlayer.exe	39
PID 1876 wrote to memory of 1140	1876	LDPlayer.exe	39
PID 1876 wrote to memory of 1140	1876	LDPlayer.exe	39
PID 1876 wrote to memory of 112	1876	LDPlayer.exe	42
PID 1876 wrote to memory of 112	1876	LDPlayer.exe	42
PID 1876 wrote to memory of 112	1876	LDPlayer.exe	42
PID 1876 wrote to memory of 112	1876	LDPlayer.exe	42
PID 1876 wrote to memory of 320	1876	LDPlayer.exe	44
PID 1876 wrote to memory of 320	1876	LDPlayer.exe	44
PID 1876 wrote to memory of 320	1876	LDPlayer.exe	44
PID 1876 wrote to memory of 320	1876	LDPlayer.exe	44

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_es_1009_ld.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnupdate.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1009 -language=es -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM dnmultiplayerex.exe /T
    3⤵
    - Kills process with taskkill
    PID:1140
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM fynews.exe
    3⤵
    - Kills process with taskkill
    PID:112
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill" /F /IM ldnews.exe
    3⤵
    - Kills process with taskkill
    PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
624.1MB

MD5
de0a5cb29f81b73ba689fb446874d4d8

SHA1
eeb74cfeef30c660e4d03dfd49284ab970b65114

SHA256
67f466c10f62f65026c306de4b2583d659cca0442ed3a58bfe81c27bcf43a2b5

SHA512
71475fb07119959f3b5a444e2a66246fc732b3c51f5501be6a69488387ffac93d5c4600e938b9eff22b190b2df20f8b56e3e32c28661a060991ddddefdb1c675

Download Submit
\LDPlayer\LDPlayer9\LDPlayer.exe

Filesize
478.9MB

MD5
8bb399c1b71c16a4962a453efa2fb346

SHA1
bb281952175fea4edb17828bf22b2c969333f178

SHA256
a17e22410818dec7613e5fa0c350311176f881e776f3ee849071f9ff8c68c4d3

SHA512
52a3bc332651751fa1e7c57e2dce8094aa4efd21f5c0777f650cdd900e014b8385b25743bcc32dbc719784e27e2c13779097036b5593995a876672f27f39f4f4

Download Submit