Overview

overview

10

Static

static

10

48bae3b18a...c0.exe

windows7_x64

10

48bae3b18a...c0.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    25-05-2021 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48bae3b18af5c2c01d01a8a899383cc0.exe

  • Size

    28KB

  • MD5

    48bae3b18af5c2c01d01a8a899383cc0

  • SHA1

    1aca6c456d5aae801e9b5c8eb638d56aeaf578ee

  • SHA256

    cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7

  • SHA512

    6d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    1234

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/hTv7e3sA

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    Registry.exe

  • main_folder

    UserProfile

  • pin_spread

    false

  • sub_folder

    \Contacts\

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48bae3b18af5c2c01d01a8a899383cc0.exe
    "C:\Users\Admin\AppData\Local\Temp\48bae3b18af5c2c01d01a8a899383cc0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Contacts\Registry.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:1244
    • C:\Users\Admin\Contacts\Registry.exe
      "C:\Users\Admin\Contacts\Registry.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Contacts\Registry.exe
    MD5

    48bae3b18af5c2c01d01a8a899383cc0

    SHA1

    1aca6c456d5aae801e9b5c8eb638d56aeaf578ee

    SHA256

    cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7

    SHA512

    6d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f

    Download Submit
  • C:\Users\Admin\Contacts\Registry.exe
    MD5

    48bae3b18af5c2c01d01a8a899383cc0

    SHA1

    1aca6c456d5aae801e9b5c8eb638d56aeaf578ee

    SHA256

    cdee11382a227ef32c72808129deabd7deab5e5c41ed31108242e7f53e2c62d7

    SHA512

    6d620fbcdf8897ae46947314b4da38de97f39b8fd5fe4efa9b44af80095295ecc21576588c6e0e33ff23f24c0050b6eee7f5b3c84882b8b997efa951f4b82a9f

    Download Submit
  • memory/1244-120-0x0000000000000000-mapping.dmp
    Download
  • memory/3904-114-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-116-0x0000000005300000-0x0000000005301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-117-0x0000000005260000-0x0000000005261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-118-0x0000000005540000-0x0000000005541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3904-119-0x0000000006010000-0x0000000006011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-121-0x0000000000000000-mapping.dmp
    Download
  • memory/4068-128-0x0000000004F00000-0x0000000004F01000-memory.dmp
    Filesize

    4KB

    Download