80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe
Size

7.2MB
MD5

7d269f2a57045c92e965e1df8f45888a
SHA1

7aee0411dca787671da2bd27b6c3b43210ebe61e
SHA256

80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf
SHA512

ca55b4bc1a9cf2ef48e2df1b053bbc9f7945c41d9c0ba1a0ce96798169ee552d82d526cda88055040937f37e902b58e815a9d23e7284da89cc1b13e032d0f9c4
SSDEEP

196608:xJlFhv7UOmCyb0An6pkgNRtP6hi1ahzBtjR7:PtTUOlybRnuTRtP6hiOPV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	Ldx.Exe

Loads dropped DLL 2 IoCs

pid	Process
2420	Ldx.Exe
2420	Ldx.Exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Ldx.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Ldx.Exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\IESettingSync	Ldx.Exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Ldx.Exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2420	Ldx.Exe
2420	Ldx.Exe
2420	Ldx.Exe
2420	Ldx.Exe
2420	Ldx.Exe
2420	Ldx.Exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1544	80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe
1544	80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe
2420	Ldx.Exe
2420	Ldx.Exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2420	1544	80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe	92
PID 1544 wrote to memory of 2420	1544	80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe	92
PID 1544 wrote to memory of 2420	1544	80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe	92

C:\Users\Admin\AppData\Local\Temp\80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe
"C:\Users\Admin\AppData\Local\Temp\80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\Ldx.Exe
  "C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\Ldx.Exe" -srcfile "C:\Users\Admin\AppData\Local\Temp\80aa65d5387e33a0910711329c4b690f0fb773fa7f89ce8b65b3baf68f1af1bf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\InetPub\ftproot\Tipray\LdRead\log\LdCab.log

Filesize
3KB

MD5
348805fa5cb326350020bd310a83ed12

SHA1
fec3259eda2f658f24219b3c2ef70ac0ce43ffd5

SHA256
940579bee5ccc6b1734b821038049ea7da6379a1874920cc28a70ed3a15ba574

SHA512
2f5a34bccc9282d922394a190c4e1bf620a0952e50e0ab8facf43c36d78533cb4fe1624035feebd2080215b02c7fc2c5ef8ae428b6392599ba1ed8a0623b68fa

Download Submit
C:\InetPub\ftproot\Tipray\LdRead\log\LdCab.log

Filesize
1KB

MD5
a339df906ec9304aab3ff47c9cb22152

SHA1
2bc9ad4a4cd29156c168f236cc111f3911f87df4

SHA256
1775805e392b38e960ff37a212e48d8ba0f5728b8846ee702f8550f222685a22

SHA512
b31fa7b33bba0250730161d89313e70acd24ae324bb6aad9c37b6f59f467ab4decdd38cd82384e5dbb2ac6c3ad91f3c84f86f8825676d4056aeed907347a0c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\LdCab.exe

Filesize
401KB

MD5
918f6ef798c185ff5c7e2074c1d004bd

SHA1
b4c98ec18d06e8a98a687d39748dfc300cf9d6a7

SHA256
a399ac920fbff0b695efa2b513bdf1b662dd72161b733ac7d23174c7293c2341

SHA512
b2cbde32f9853c9f3786f3b0aa24a2ac876f2175e067ebc0d828b4693055b11504148b8d24ab8eaadefdd1b81c44c749d8f2ed97c326bf86094729e15f268d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\Ldx.EN

Filesize
139KB

MD5
71be0d3c75db4d5dfb0b99d9580a491b

SHA1
6ed44c85f25506ad3a8a5cf3e257765906e4a27b

SHA256
9be0b427446ead7c41e130295a4c7aa67fbcf2681718d06d7b276f9f624ef794

SHA512
51e8f94e702411d301082db9ebc483b3ec30e9a1e224d8a2c08fef95dd9b6f734220f729149149f130ea5e80cbdbe89de513edab126fa77fad83acf81216803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\Ldx.Exe

Filesize
1.2MB

MD5
3af3835a0cd112244090a3ab2f2e4fc4

SHA1
cd5484cb508fe9447dbf207373c9f4c6be14ae52

SHA256
4afb03583c18e85f1bbc9a5a6ffdacad136bc49ef7fe19c68da225d590b8e2aa

SHA512
57b897a0266e455a8e3b8d0f23d8afcdc39f43586232779110746ea13b5d9b9691f5dc8f5cadfc4aa4365d8ffc645cad5fcfeb43e2974eede3c6f8ac3ea4cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\Ldx.exe

Filesize
1.2MB

MD5
3af3835a0cd112244090a3ab2f2e4fc4

SHA1
cd5484cb508fe9447dbf207373c9f4c6be14ae52

SHA256
4afb03583c18e85f1bbc9a5a6ffdacad136bc49ef7fe19c68da225d590b8e2aa

SHA512
57b897a0266e455a8e3b8d0f23d8afcdc39f43586232779110746ea13b5d9b9691f5dc8f5cadfc4aa4365d8ffc645cad5fcfeb43e2974eede3c6f8ac3ea4cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\Ldx.exe

Filesize
1.2MB

MD5
3af3835a0cd112244090a3ab2f2e4fc4

SHA1
cd5484cb508fe9447dbf207373c9f4c6be14ae52

SHA256
4afb03583c18e85f1bbc9a5a6ffdacad136bc49ef7fe19c68da225d590b8e2aa

SHA512
57b897a0266e455a8e3b8d0f23d8afcdc39f43586232779110746ea13b5d9b9691f5dc8f5cadfc4aa4365d8ffc645cad5fcfeb43e2974eede3c6f8ac3ea4cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\LdxHook32.dll

Filesize
270KB

MD5
8afb7a5f14f031d05a48df59e4eef0c8

SHA1
22aa7fe7ffb609d5706dae1a3821c6ad7a6da8aa

SHA256
e02fb8354d8fbcf678eca2bab2b61eb318fa88620fa918976040f4089cef0279

SHA512
cefe4c26d3ff898f20166ded6ae75c7696b793dc701d85b9f07ca677e149e777d64d24e5b727e10463ef0ee4580dd032afb63e75660e08ac3872f55d6a38f894

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\LdxHook32.dll

Filesize
270KB

MD5
8afb7a5f14f031d05a48df59e4eef0c8

SHA1
22aa7fe7ffb609d5706dae1a3821c6ad7a6da8aa

SHA256
e02fb8354d8fbcf678eca2bab2b61eb318fa88620fa918976040f4089cef0279

SHA512
cefe4c26d3ff898f20166ded6ae75c7696b793dc701d85b9f07ca677e149e777d64d24e5b727e10463ef0ee4580dd032afb63e75660e08ac3872f55d6a38f894

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\LdxShareData32.dll

Filesize
355KB

MD5
20aca2f79dd0f98812e5db37cfe32a2a

SHA1
c04b94a30d3f6fb92888d549cf583e0daa67194d

SHA256
488abaaaff747d4d14db6a04c95485aa21e494116134d4220c319dfa2601d170

SHA512
3ca4bab60d185015016c074543bbff1cfba413e4a95a69daf5b215b9bb086d0ed2d76d84eaa217d0570e52b4d49eed6301a2d01d0ac1497b6f5aca11641f3180

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\LdxShareData32.dll

Filesize
355KB

MD5
20aca2f79dd0f98812e5db37cfe32a2a

SHA1
c04b94a30d3f6fb92888d549cf583e0daa67194d

SHA256
488abaaaff747d4d14db6a04c95485aa21e494116134d4220c319dfa2601d170

SHA512
3ca4bab60d185015016c074543bbff1cfba413e4a95a69daf5b215b9bb086d0ed2d76d84eaa217d0570e52b4d49eed6301a2d01d0ac1497b6f5aca11641f3180

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\a500e4e7d1bd535e9b5fd25f9f0842e7\NoIntercept.Html

Filesize
724B

MD5
2c70fe8030102eb34ce18c1b8b270b58

SHA1
934bbe800a90cbb6605fd0cf2bf86b32b3b4a499

SHA256
a6bac0bc69e1ddf29a9eebed4e553463139382e1b29910c0d60b1040ebd4dc07

SHA512
4ce1f8749360fb1b8b994423676712054dfa327a1a292171f8d3b2f39c3480c7246592a79a923b52155cec15999d116e1af6d201987e5e625b187132c6d2d8fa

Download Submit
memory/2420-244-0x000000006F390000-0x000000006F3A0000-memory.dmp

Filesize
64KB

Download
memory/2420-243-0x00000000773A2000-0x00000000773A3000-memory.dmp

Filesize
4KB

Download
memory/2420-242-0x000000006F390000-0x000000006F3A0000-memory.dmp

Filesize
64KB

Download
memory/2420-245-0x000000006F390000-0x000000006F3A0000-memory.dmp

Filesize
64KB

Download
memory/2420-247-0x00000000773A2000-0x00000000773A3000-memory.dmp

Filesize
4KB

Download
memory/2420-248-0x000000006F390000-0x000000006F3A0000-memory.dmp

Filesize
64KB

Download
memory/2420-246-0x000000006F390000-0x000000006F3A0000-memory.dmp

Filesize
64KB

Download
memory/2420-237-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2420-268-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2420-269-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download