392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68

General

Target

392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
Size

7.1MB
MD5

8f0f0cb29eb6f83884569274f3a8f27c
SHA1

170b9b17087bab065db160ef339e22c3b4663be6
SHA256

392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68
SHA512

da35e5d8a2e4f4da887e6547669d9923f61626c59159f007e59a563ce576c26369ba7a26c6b487795a037f5b6ce312eec160e2cb60303173db96f48cbc312924
SSDEEP

196608:xvXTigv7UOmCyb0Q3bUrkT5FNckx5SOaIbnK:9igTUOlybJork/NLK

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\syswow64\drivers\Ldxghcore.sys	LdxFileServer.exe
File created	C:\Windows\syswow64\drivers\LdDisk.sys	LdxFileServer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Ldx.Exe

Executes dropped EXE 7 IoCs

pid	Process
844	Ldx.Exe
2936	LdxFileServer.exe
2788	LdxFileServer.exe
3056	LdReject32.exe
3036	LdReject64.exe
1244	Process not Found
1112	Process not Found

Loads dropped DLL 25 IoCs

pid	Process
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
844	Ldx.Exe
844	Ldx.Exe
844	Ldx.Exe
844	Ldx.Exe
2788	LdxFileServer.exe
2788	LdxFileServer.exe
2788	LdxFileServer.exe
3056	LdReject32.exe
3036	LdReject64.exe
3056	LdReject32.exe
3036	LdReject64.exe
3056	LdReject32.exe
3036	LdReject64.exe
1244	Process not Found
844	Ldx.Exe
844	Ldx.Exe
844	Ldx.Exe
1112	Process not Found
1244	Process not Found
1244	Process not Found

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	LdxFileServer.exe
File opened (read-only)	\??\l:	LdxFileServer.exe
File opened (read-only)	\??\o:	LdxFileServer.exe
File opened (read-only)	\??\r:	LdxFileServer.exe
File opened (read-only)	\??\w:	LdxFileServer.exe
File opened (read-only)	\??\h:	LdxFileServer.exe
File opened (read-only)	\??\p:	LdxFileServer.exe
File opened (read-only)	\??\q:	LdxFileServer.exe
File opened (read-only)	\??\u:	LdxFileServer.exe
File opened (read-only)	\??\n:	LdxFileServer.exe
File opened (read-only)	\??\m:	LdxFileServer.exe
File opened (read-only)	\??\s:	LdxFileServer.exe
File opened (read-only)	\??\x:	LdxFileServer.exe
File opened (read-only)	\??\y:	LdxFileServer.exe
File opened (read-only)	\??\z:	LdxFileServer.exe
File opened (read-only)	\??\k:	LdxFileServer.exe
File opened (read-only)	\??\g:	LdxFileServer.exe
File opened (read-only)	\??\i:	LdxFileServer.exe
File opened (read-only)	\??\t:	LdxFileServer.exe
File opened (read-only)	\??\v:	LdxFileServer.exe
File opened (read-only)	\??\e:	LdxFileServer.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\syswow64\LdxHook32.dll	LdxFileServer.exe
File created	C:\Windows\system32\ldxthunk_64.dll	LdxFileServer.exe
File created	C:\Windows\syswow64\ldxthunk_32.dll	LdxFileServer.exe
File created	C:\Windows\system32\Ldxghijt64.dll	LdxFileServer.exe
File created	C:\Windows\system32\ldxinject_64.dll	LdxFileServer.exe
File created	C:\Windows\syswow64\ldxinject_32.dll	LdxFileServer.exe
File opened for modification	C:\Windows\syswow64\LdxHook32.dll	LdxFileServer.exe
File created	C:\Windows\system32\LdxHook64.dll	LdxFileServer.exe
File created	C:\Windows\syswow64\Ldxghijt32.dll	LdxFileServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\	Ldx.Exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	Ldx.Exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Ldx.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Ldx.Exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
844	Ldx.Exe
844	Ldx.Exe
844	Ldx.Exe
3056	LdReject32.exe
3036	LdReject64.exe
2788	LdxFileServer.exe
844	Ldx.Exe
2788	LdxFileServer.exe
2788	LdxFileServer.exe
2788	LdxFileServer.exe
844	Ldx.Exe
2788	LdxFileServer.exe
844	Ldx.Exe
2788	LdxFileServer.exe
2788	LdxFileServer.exe
2788	LdxFileServer.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
844	Ldx.Exe
844	Ldx.Exe
3056	LdReject32.exe
3056	LdReject32.exe
3056	LdReject32.exe
3056	LdReject32.exe
3036	LdReject64.exe
3036	LdReject64.exe
3036	LdReject64.exe
3036	LdReject64.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 844	2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe	28
PID 2236 wrote to memory of 844	2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe	28
PID 2236 wrote to memory of 844	2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe	28
PID 2236 wrote to memory of 844	2236	392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe	28
PID 844 wrote to memory of 2936	844	Ldx.Exe	34
PID 844 wrote to memory of 2936	844	Ldx.Exe	34
PID 844 wrote to memory of 2936	844	Ldx.Exe	34
PID 844 wrote to memory of 2936	844	Ldx.Exe	34
PID 2788 wrote to memory of 3056	2788	LdxFileServer.exe	32
PID 2788 wrote to memory of 3056	2788	LdxFileServer.exe	32
PID 2788 wrote to memory of 3056	2788	LdxFileServer.exe	32
PID 2788 wrote to memory of 3056	2788	LdxFileServer.exe	32
PID 2788 wrote to memory of 3036	2788	LdxFileServer.exe	30
PID 2788 wrote to memory of 3036	2788	LdxFileServer.exe	30
PID 2788 wrote to memory of 3036	2788	LdxFileServer.exe	30
PID 2788 wrote to memory of 3036	2788	LdxFileServer.exe	30

C:\Users\Admin\AppData\Local\Temp\392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe
"C:\Users\Admin\AppData\Local\Temp\392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\252d0c605d640857541d71c4c71baa02\Ldx.Exe
  "C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\252d0c605d640857541d71c4c71baa02\Ldx.Exe" -srcfile "C:\Users\Admin\AppData\Local\Temp\392db664586eaf9cbc166a7ebc9923b13eafd23adf6238a2b92782cefce0da68.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\InetPub\ftproot\Tipray\LdRead\LdxFileServer.exe
    "C:\InetPub\ftproot\Tipray\LdRead\LdxFileServer.exe" -start
    3⤵
    - Executes dropped EXE
    PID:2936

C:\InetPub\ftproot\Tipray\LdRead\LdReject64.exe
"C:\InetPub\ftproot\Tipray\LdRead\LdReject64.exe" 1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3036

C:\InetPub\ftproot\Tipray\LdRead\LdReject32.exe
"C:\InetPub\ftproot\Tipray\LdRead\LdReject32.exe" 1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3056

C:\InetPub\ftproot\Tipray\LdRead\LdxFileServer.exe
"C:\InetPub\ftproot\Tipray\LdRead\LdxFileServer.exe" -service
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@tiprayldx@\252d0c605d640857541d71c4c71baa02\LdCab.exe

Filesize
92KB

MD5
a99d58cfcd51f5b4da4d959846e78d0c

SHA1
a0de15e109bdfc42f42b1ea278debe5a8fceadb8

SHA256
930e148715c3bbf97e8b121d838ea991b2ef2d74a80148d17f4bb1597f6b67ae

SHA512
21723ad43af66c60acb080d9db7725dc19626a3d00e481ed0ec2e8dee7a5a64e73a226933bf9647c2d17e30565d31e147392948265c1c4a4f2e557b49adbd4ce

Download Submit
memory/844-251-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-248-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-253-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-252-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-244-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/844-250-0x0000000077A40000-0x0000000077A41000-memory.dmp

Filesize
4KB

Download
memory/844-249-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-535-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/844-554-0x0000000077A40000-0x0000000077A41000-memory.dmp

Filesize
4KB

Download
memory/844-553-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/844-552-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-551-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download
memory/844-550-0x000000006FA30000-0x000000006FA40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads