e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe
Size

6.8MB
MD5

febabba0e02bf4a7b7c90da5d9943b38
SHA1

c40bdb617a0948edfbf7864900b4124c8a83f111
SHA256

e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559
SHA512

e09e9b54429c6f79b39b7292651b17400c4bdadb17b0c92d71d3c1cccf0b4bb25c689da943877e169be698b797ad527a1e66a6fe42c231caf87cb76be70b5bb3
SSDEEP

196608:xJlFvv7UOmCyb0An6pkgNRtP6hi1ahzBt3:PTTUOlybRnuTRtP6hiO7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation	e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	Ldx.Exe

Loads dropped DLL 2 IoCs

pid	Process
1804	Ldx.Exe
1804	Ldx.Exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Internet Explorer\IESettingSync	Ldx.Exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Ldx.Exe
Key created	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Ldx.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Ldx.Exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1804	Ldx.Exe
1804	Ldx.Exe
1804	Ldx.Exe
1804	Ldx.Exe
1804	Ldx.Exe
1804	Ldx.Exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1288	e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe
1288	e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe
1804	Ldx.Exe
1804	Ldx.Exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1804	1288	e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe	89
PID 1288 wrote to memory of 1804	1288	e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe	89
PID 1288 wrote to memory of 1804	1288	e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe	89

C:\Users\Admin\AppData\Local\Temp\e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe
"C:\Users\Admin\AppData\Local\Temp\e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\Ldx.Exe
  "C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\Ldx.Exe" -srcfile "C:\Users\Admin\AppData\Local\Temp\e3daefbb33a22a70836b03a167f2055d91ccd76a006e21d528026a70240bf559.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\LdCab.exe

Filesize
401KB

MD5
918f6ef798c185ff5c7e2074c1d004bd

SHA1
b4c98ec18d06e8a98a687d39748dfc300cf9d6a7

SHA256
a399ac920fbff0b695efa2b513bdf1b662dd72161b733ac7d23174c7293c2341

SHA512
b2cbde32f9853c9f3786f3b0aa24a2ac876f2175e067ebc0d828b4693055b11504148b8d24ab8eaadefdd1b81c44c749d8f2ed97c326bf86094729e15f268d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\Ldx.EN

Filesize
139KB

MD5
71be0d3c75db4d5dfb0b99d9580a491b

SHA1
6ed44c85f25506ad3a8a5cf3e257765906e4a27b

SHA256
9be0b427446ead7c41e130295a4c7aa67fbcf2681718d06d7b276f9f624ef794

SHA512
51e8f94e702411d301082db9ebc483b3ec30e9a1e224d8a2c08fef95dd9b6f734220f729149149f130ea5e80cbdbe89de513edab126fa77fad83acf81216803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\Ldx.Exe

Filesize
145KB

MD5
22be0e351b4709d8215fdad530599fb0

SHA1
3425743b23602a6ed3bf220450ca71fb5b97cec4

SHA256
ee70436874d01633cf957cf2ea2f1cf50346fa67278893dc7dfe97a85534d72a

SHA512
07ad7205ddcf3196fc1c33f06504694116af11cea90f1dc737e321821a1a5a827d513ed059b0c89ab84bf14e6e7e577e73e67c4ecc75903e084e13cd3121b670

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\Ldx.exe

Filesize
342KB

MD5
f38b4ede8006e90f3e29f3159c8e5667

SHA1
63a93ab87d235613efa45d51c169d3b3f7c863fb

SHA256
17bff712b96c3e915cdc5ac1fdfe598593b080e29576cdb6b2b665f316f67b51

SHA512
6f55043a6dda69dd43feb69efc1900d50b77a777b60dd9b05548bd33159951dda34448d9e0fd8fdedfeffe2f816ff7f29a2a956ee5100d0172b29fe85344152e

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\Ldx.exe

Filesize
251KB

MD5
aba9830a5d83ea9461025370ec00c98f

SHA1
cb430a3558b4ab4dd336414ab0483c3dd7316746

SHA256
dc15dd996cdf343f2006a2aae4dcc19112300e34252b955fcf89b563e61ec4a7

SHA512
3875d54b1d657f7fade9e4887c5818849fa22b9a4c9daf6f29686a8980de442a648c6941f614a9a650f29c69c85fee38ae241ab8fe50b71798a4e85e51b2c38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\LdxHook32.dll

Filesize
270KB

MD5
8afb7a5f14f031d05a48df59e4eef0c8

SHA1
22aa7fe7ffb609d5706dae1a3821c6ad7a6da8aa

SHA256
e02fb8354d8fbcf678eca2bab2b61eb318fa88620fa918976040f4089cef0279

SHA512
cefe4c26d3ff898f20166ded6ae75c7696b793dc701d85b9f07ca677e149e777d64d24e5b727e10463ef0ee4580dd032afb63e75660e08ac3872f55d6a38f894

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\LdxHook32.dll

Filesize
206KB

MD5
b3d888035248ce8b814a3a8db94f3ae6

SHA1
289ff115b61a92fd690ea45201b94bf62b27d76c

SHA256
a0a8b990fecbd9b0b80733bea4e2f17337172e2580123e171a82ddedb2df1996

SHA512
790c4c60471378b499aaa8604239cf7c6d041228287036cc08e85de7e9ad53d500f72cb7dec34758362de0a0dd232d91905802ba114a5504f92517ebf211440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\LdxShareData32.dll

Filesize
355KB

MD5
20aca2f79dd0f98812e5db37cfe32a2a

SHA1
c04b94a30d3f6fb92888d549cf583e0daa67194d

SHA256
488abaaaff747d4d14db6a04c95485aa21e494116134d4220c319dfa2601d170

SHA512
3ca4bab60d185015016c074543bbff1cfba413e4a95a69daf5b215b9bb086d0ed2d76d84eaa217d0570e52b4d49eed6301a2d01d0ac1497b6f5aca11641f3180

Download Submit
C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\327266209b479313a2d3e7e81d69504e\NoIntercept.Html

Filesize
724B

MD5
2c70fe8030102eb34ce18c1b8b270b58

SHA1
934bbe800a90cbb6605fd0cf2bf86b32b3b4a499

SHA256
a6bac0bc69e1ddf29a9eebed4e553463139382e1b29910c0d60b1040ebd4dc07

SHA512
4ce1f8749360fb1b8b994423676712054dfa327a1a292171f8d3b2f39c3480c7246592a79a923b52155cec15999d116e1af6d201987e5e625b187132c6d2d8fa

Download Submit
memory/1804-246-0x0000000076FC2000-0x0000000076FC3000-memory.dmp

Filesize
4KB

Download
memory/1804-247-0x000000006EFB0000-0x000000006EFC0000-memory.dmp

Filesize
64KB

Download
memory/1804-245-0x000000006EFB0000-0x000000006EFC0000-memory.dmp

Filesize
64KB

Download
memory/1804-243-0x000000006EFB0000-0x000000006EFC0000-memory.dmp

Filesize
64KB

Download
memory/1804-242-0x000000006EFB0000-0x000000006EFC0000-memory.dmp

Filesize
64KB

Download
memory/1804-244-0x000000006EFB0000-0x000000006EFC0000-memory.dmp

Filesize
64KB

Download
memory/1804-239-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1804-267-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1804-269-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download