Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-05-2021 15:08
Static task
static1
Behavioral task
behavioral1
Sample
48bae3b18af5c2c01d01a8a899383cc0.exe
Resource
win7v20210410
General
-
Target
48bae3b18af5c2c01d01a8a899383cc0.exe
-
Size
28KB
-
MD5
48bae3b18af5c2c01d01a8a899383cc0
-
SHA1
1aca6c456d5aae801e9b5c8eb638d56aeaf578ee
-
SHA256
cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7
-
SHA512
6d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f
Malware Config
Extracted
limerat
-
aes_key
1234
-
antivm
false
-
c2_url
https://pastebin.com/raw/hTv7e3sA
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Registry.exe
-
main_folder
UserProfile
-
pin_spread
false
-
sub_folder
\Contacts\
-
usb_spread
true
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Registry.exepid process 580 Registry.exe -
Loads dropped DLL 2 IoCs
Processes:
48bae3b18af5c2c01d01a8a899383cc0.exepid process 1888 48bae3b18af5c2c01d01a8a899383cc0.exe 1888 48bae3b18af5c2c01d01a8a899383cc0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Registry.exepid process 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe 580 Registry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Registry.exedescription pid process Token: SeDebugPrivilege 580 Registry.exe Token: SeDebugPrivilege 580 Registry.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
48bae3b18af5c2c01d01a8a899383cc0.exedescription pid process target process PID 1888 wrote to memory of 1644 1888 48bae3b18af5c2c01d01a8a899383cc0.exe schtasks.exe PID 1888 wrote to memory of 1644 1888 48bae3b18af5c2c01d01a8a899383cc0.exe schtasks.exe PID 1888 wrote to memory of 1644 1888 48bae3b18af5c2c01d01a8a899383cc0.exe schtasks.exe PID 1888 wrote to memory of 1644 1888 48bae3b18af5c2c01d01a8a899383cc0.exe schtasks.exe PID 1888 wrote to memory of 580 1888 48bae3b18af5c2c01d01a8a899383cc0.exe Registry.exe PID 1888 wrote to memory of 580 1888 48bae3b18af5c2c01d01a8a899383cc0.exe Registry.exe PID 1888 wrote to memory of 580 1888 48bae3b18af5c2c01d01a8a899383cc0.exe Registry.exe PID 1888 wrote to memory of 580 1888 48bae3b18af5c2c01d01a8a899383cc0.exe Registry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48bae3b18af5c2c01d01a8a899383cc0.exe"C:\Users\Admin\AppData\Local\Temp\48bae3b18af5c2c01d01a8a899383cc0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Contacts\Registry.exe'"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Contacts\Registry.exe"C:\Users\Admin\Contacts\Registry.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Contacts\Registry.exeMD5
48bae3b18af5c2c01d01a8a899383cc0
SHA11aca6c456d5aae801e9b5c8eb638d56aeaf578ee
SHA256cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7
SHA5126d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f
-
C:\Users\Admin\Contacts\Registry.exeMD5
48bae3b18af5c2c01d01a8a899383cc0
SHA11aca6c456d5aae801e9b5c8eb638d56aeaf578ee
SHA256cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7
SHA5126d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f
-
\Users\Admin\Contacts\Registry.exeMD5
48bae3b18af5c2c01d01a8a899383cc0
SHA11aca6c456d5aae801e9b5c8eb638d56aeaf578ee
SHA256cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7
SHA5126d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f
-
\Users\Admin\Contacts\Registry.exeMD5
48bae3b18af5c2c01d01a8a899383cc0
SHA11aca6c456d5aae801e9b5c8eb638d56aeaf578ee
SHA256cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7
SHA5126d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f
-
memory/580-64-0x0000000000000000-mapping.dmp
-
memory/580-67-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/580-70-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1644-61-0x0000000000000000-mapping.dmp
-
memory/1888-59-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/1888-69-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB