limerat | 78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

Analysis

max time kernel
142s
max time network
25s
platform
windows7_x64
resource
win7v20201028
submitted
03-12-2020 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

officialdoc!_013_2020.exe
Size

225KB
MD5

084eecf7d4654a7e7f4a7c4e6044c967
SHA1

e481123bb8cf1a5790cbe9be9727ce37f511bda8
SHA256

78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca
SHA512

7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1HWT2xVoQathmVB5JBzhBMTfTh4sZH8iqZ

Attributes

aes_key
amanda
antivm
false
c2_url
https://pastebin.com/raw/8MC17U5q
delay
3
download_payload
true
install
true
install_name
OfficialDoc.exe
main_folder
Temp
payload_url
Downloads\xfiles.pdf
pin_spread
false
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Executes dropped EXE 2 IoCs

Processes:

OfficialDoc.exeOfficialDoc.exe

pid process

1480 OfficialDoc.exe
1992 OfficialDoc.exe
Loads dropped DLL 6 IoCs

Processes:

officialdoc!_013_2020.exeOfficialDoc.exeWerFault.exe

pid process

1572 officialdoc!_013_2020.exe
1572 officialdoc!_013_2020.exe
1480 OfficialDoc.exe
1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe

pid	process
1480	OfficialDoc.exe
1992	OfficialDoc.exe

pid	process
1572	officialdoc!_013_2020.exe
1572	officialdoc!_013_2020.exe
1480	OfficialDoc.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

officialdoc!_013_2020.exeOfficialDoc.exe

pid	process
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

officialdoc!_013_2020.exeOfficialDoc.exe

description	pid	process	target process
PID 868 set thread context of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 1480 set thread context of 1992	1480	OfficialDoc.exe	OfficialDoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

336 868 WerFault.exe officialdoc!_013_2020.exe
1636 1480 WerFault.exe OfficialDoc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1032 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2004 timeout.exe
1840 timeout.exe

pid	pid_target	process	target process
336	868	WerFault.exe	officialdoc!_013_2020.exe
1636	1480	WerFault.exe	OfficialDoc.exe

pid	process
1032	schtasks.exe

pid	process
2004	timeout.exe
1840	timeout.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

officialdoc!_013_2020.exeWerFault.exeOfficialDoc.exeWerFault.exe

pid	process
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
868	officialdoc!_013_2020.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1480	OfficialDoc.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

336 WerFault.exe

pid	process
336	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

officialdoc!_013_2020.exeWerFault.exeOfficialDoc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	868	officialdoc!_013_2020.exe
Token: SeDebugPrivilege	336	WerFault.exe
Token: SeDebugPrivilege	1480	OfficialDoc.exe
Token: SeDebugPrivilege	1636	WerFault.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

officialdoc!_013_2020.execmd.exeofficialdoc!_013_2020.exeOfficialDoc.execmd.exe

description	pid	process	target process
PID 868 wrote to memory of 1808	868	officialdoc!_013_2020.exe	cmd.exe
PID 868 wrote to memory of 1808	868	officialdoc!_013_2020.exe	cmd.exe
PID 868 wrote to memory of 1808	868	officialdoc!_013_2020.exe	cmd.exe
PID 868 wrote to memory of 1808	868	officialdoc!_013_2020.exe	cmd.exe
PID 1808 wrote to memory of 2004	1808	cmd.exe	timeout.exe
PID 1808 wrote to memory of 2004	1808	cmd.exe	timeout.exe
PID 1808 wrote to memory of 2004	1808	cmd.exe	timeout.exe
PID 1808 wrote to memory of 2004	1808	cmd.exe	timeout.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 1572	868	officialdoc!_013_2020.exe	officialdoc!_013_2020.exe
PID 868 wrote to memory of 336	868	officialdoc!_013_2020.exe	WerFault.exe
PID 868 wrote to memory of 336	868	officialdoc!_013_2020.exe	WerFault.exe
PID 868 wrote to memory of 336	868	officialdoc!_013_2020.exe	WerFault.exe
PID 868 wrote to memory of 336	868	officialdoc!_013_2020.exe	WerFault.exe
PID 1572 wrote to memory of 1032	1572	officialdoc!_013_2020.exe	schtasks.exe
PID 1572 wrote to memory of 1032	1572	officialdoc!_013_2020.exe	schtasks.exe
PID 1572 wrote to memory of 1032	1572	officialdoc!_013_2020.exe	schtasks.exe
PID 1572 wrote to memory of 1032	1572	officialdoc!_013_2020.exe	schtasks.exe
PID 1572 wrote to memory of 1480	1572	officialdoc!_013_2020.exe	OfficialDoc.exe
PID 1572 wrote to memory of 1480	1572	officialdoc!_013_2020.exe	OfficialDoc.exe
PID 1572 wrote to memory of 1480	1572	officialdoc!_013_2020.exe	OfficialDoc.exe
PID 1572 wrote to memory of 1480	1572	officialdoc!_013_2020.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1664	1480	OfficialDoc.exe	cmd.exe
PID 1480 wrote to memory of 1664	1480	OfficialDoc.exe	cmd.exe
PID 1480 wrote to memory of 1664	1480	OfficialDoc.exe	cmd.exe
PID 1480 wrote to memory of 1664	1480	OfficialDoc.exe	cmd.exe
PID 1664 wrote to memory of 1840	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1840	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1840	1664	cmd.exe	timeout.exe
PID 1664 wrote to memory of 1840	1664	cmd.exe	timeout.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1992	1480	OfficialDoc.exe	OfficialDoc.exe
PID 1480 wrote to memory of 1636	1480	OfficialDoc.exe	WerFault.exe
PID 1480 wrote to memory of 1636	1480	OfficialDoc.exe	WerFault.exe
PID 1480 wrote to memory of 1636	1480	OfficialDoc.exe	WerFault.exe
PID 1480 wrote to memory of 1636	1480	OfficialDoc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\officialdoc!_013_2020.exe
"C:\Users\Admin\AppData\Local\Temp\officialdoc!_013_2020.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 4.669
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\timeout.exe
timeout 4.669
3⤵
- Delays execution with timeout.exe
PID:2004

C:\Users\Admin\AppData\Local\Temp\officialdoc!_013_2020.exe
"C:\Users\Admin\AppData\Local\Temp\officialdoc!_013_2020.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe'"
3⤵
- Creates scheduled task(s)
PID:1032

C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe
"C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 4.669
4⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\timeout.exe
timeout 4.669
5⤵
- Delays execution with timeout.exe
PID:1840

C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe
"C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe"
4⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1748
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1740
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
\Users\Admin\AppData\Local\Temp\OfficialDoc.exe

MD5
084eecf7d4654a7e7f4a7c4e6044c967

SHA1
e481123bb8cf1a5790cbe9be9727ce37f511bda8

SHA256
78aa904a6d06db0ae3190ffdecda755b20e7c4dff3c8dd2061a7d35e7171d5ca

SHA512
7a7f5f4173667389d7736b922b6fc4576f115418d91ea47af9ec76f1261c430a1c629d01690bba41178df370a3e05d0e0b792631daab8642a515daa7fe66af5f

Download Submit
memory/336-17-0x00000000028F0000-0x0000000002901000-memory.dmp

Filesize
68KB

Download
memory/336-15-0x0000000000000000-mapping.dmp

Download
memory/336-16-0x00000000020F0000-0x0000000002101000-memory.dmp

Filesize
68KB

Download
memory/868-7-0x0000000000450000-0x00000000004B6000-memory.dmp

Filesize
408KB

Download
memory/868-2-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/868-3-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1032-18-0x0000000000000000-mapping.dmp

Download
memory/1480-45-0x0000000000000000-mapping.dmp

Download
memory/1480-50-0x0000000000000000-mapping.dmp

Download
memory/1480-55-0x0000000000000000-mapping.dmp

Download
memory/1480-24-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-25-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1480-54-0x0000000000000000-mapping.dmp

Download
memory/1480-53-0x0000000000000000-mapping.dmp

Download
memory/1480-52-0x0000000000000000-mapping.dmp

Download
memory/1480-51-0x0000000000000000-mapping.dmp

Download
memory/1480-21-0x0000000000000000-mapping.dmp

Download
memory/1480-49-0x0000000000000000-mapping.dmp

Download
memory/1480-48-0x0000000000000000-mapping.dmp

Download
memory/1480-47-0x0000000000000000-mapping.dmp

Download
memory/1480-46-0x0000000000000000-mapping.dmp

Download
memory/1480-44-0x0000000000000000-mapping.dmp

Download
memory/1480-42-0x0000000000000000-mapping.dmp

Download
memory/1572-9-0x0000000000408CAE-mapping.dmp

Download
memory/1572-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-12-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1572-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-56-0x0000000002880000-0x0000000002891000-memory.dmp

Filesize
68KB

Download
memory/1636-37-0x0000000002020000-0x0000000002031000-memory.dmp

Filesize
68KB

Download
memory/1636-36-0x0000000000000000-mapping.dmp

Download
memory/1664-27-0x0000000000000000-mapping.dmp

Download
memory/1808-5-0x0000000000000000-mapping.dmp

Download
memory/1840-28-0x0000000000000000-mapping.dmp

Download
memory/1992-32-0x0000000000408CAE-mapping.dmp

Download
memory/1992-38-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-6-0x0000000000000000-mapping.dmp

Download