Overview

overview

10

Static

static

new.exe

windows7_x64

10

new.exe

windows10_x64

3

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    15-07-2020 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.exe

  • Size

    851KB

  • MD5

    6da3f250c69c7540fc0b665bf26d9bb5

  • SHA1

    5da0a0dee94cd2f49bba7d14402acb59d1650cd3

  • SHA256

    af14ffe4c3aa39dd8b219ca3cf1757492183c5ac069b507a1d36bb4430057582

  • SHA512

    1a09baf36739734d613bc537145e2de1b865790c99e0ec51525bc14931a1777be63163f527780d4579d9b59dc447102649b9797f10533753cff596ee6e0da56c

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

14dRC57Wbd8UH6Bff3LNzazwSHQHkcDPik

Attributes
  • aes_key

    12345

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/peS2LDTc

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\new.exe
    "C:\Users\Admin\AppData\Local\Temp\new.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Local\Temp\new.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\svchost.exe'"
        3⤵
        • Creates scheduled task(s)
        PID:1772
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "{path}"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/788-2-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/788-4-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/788-5-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download