Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    01/07/2021, 14:08

General

  • Target

    DECL G50 EURL.xlsx

  • Size

    1.2MB

  • MD5

    b97310e2ecc75a1ac5b7cf34503d1509

  • SHA1

    b34bd40fd5717e01cf5ba7cbe2bf8d5d8331783a

  • SHA256

    673d9ec17f2437917846f5ce799f30399d0739c9dd3e28d3d44b80b5f91de54f

  • SHA512

    e287c79a0cd275e232b3180fdf6b6c51b0c62285f5346d4ddd57e6c4e556cd1d033cef66d2939c3e7a7abd2867621fea5ba2cd52eae99db9a13acf3fa5fb22e9

Malware Config

Extracted

Family

limerat

Wallets

1LLUV51XQKqq94X965Cc6uGPXeZEGSqCdV

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4pByu6u5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DECL G50 EURL.xlsx"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:332
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UGrisULjKfvkUY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DCE.tmp"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\SysWOW64\schtasks.exe
            C:\Windows\System32\schtasks.exe /Create /TN Updates\UGrisULjKfvkUY /XML C:\Users\Admin\AppData\Local\Temp\tmp8DCE.tmp
            5⤵
            • Creates scheduled task(s)
            PID:1796
        • C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/332-93-0x0000000002EB0000-0x0000000002EB2000-memory.dmp

    Filesize

    8KB

  • memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/332-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmp

    Filesize

    8KB

  • memory/332-59-0x000000002FF31000-0x000000002FF34000-memory.dmp

    Filesize

    12KB

  • memory/332-92-0x000000000539D000-0x000000000539F000-memory.dmp

    Filesize

    8KB

  • memory/332-90-0x000000000539C000-0x000000000539D000-memory.dmp

    Filesize

    4KB

  • memory/332-89-0x0000000005399000-0x000000000539C000-memory.dmp

    Filesize

    12KB

  • memory/332-88-0x0000000005397000-0x0000000005399000-memory.dmp

    Filesize

    8KB

  • memory/332-86-0x0000000005395000-0x0000000005397000-memory.dmp

    Filesize

    8KB

  • memory/332-85-0x0000000005393000-0x0000000005395000-memory.dmp

    Filesize

    8KB

  • memory/332-83-0x0000000005390000-0x0000000005392000-memory.dmp

    Filesize

    8KB

  • memory/344-75-0x0000000000960000-0x0000000000961000-memory.dmp

    Filesize

    4KB

  • memory/344-96-0x00000000007D0000-0x00000000007E7000-memory.dmp

    Filesize

    92KB

  • memory/344-81-0x0000000007F10000-0x0000000009F0F000-memory.dmp

    Filesize

    32.0MB

  • memory/344-95-0x00000000041B0000-0x0000000004205000-memory.dmp

    Filesize

    340KB

  • memory/344-77-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

    Filesize

    4KB

  • memory/820-109-0x0000000004D90000-0x0000000004D91000-memory.dmp

    Filesize

    4KB

  • memory/820-104-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/820-107-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/1416-62-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

    Filesize

    8KB