Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14-08-2021 13:41
Static task
static1
Behavioral task
behavioral1
Sample
AML_Commpliance_pdf.js
Resource
win7v20210410
General
-
Target
AML_Commpliance_pdf.js
-
Size
111KB
-
MD5
f41c8229b3c54c3ff51191372d9cb790
-
SHA1
c4d57e6f2b94060a94c4f84863a597c2ef58651d
-
SHA256
61b69d2a4ca9404f1a5b73fac4790b0a41c7c7f766ba90d5a459612b629bf9b1
-
SHA512
df6fd5888700d5acc5988821087c7a304e1ceff914320342dd1393f0366c6995828ffd9a82a36b029452215815fdb42e7c7aa9972ef16099fec7d7926a5f6c11
Malware Config
Extracted
limerat
1Cs8MjxkXtYwkDKypg8i1Vj5nzhANpgC6y
-
aes_key
2249
-
antivm
false
-
c2_url
https://pastebin.com/raw/G9wX4J5m
-
delay
8
-
download_payload
false
-
install
true
-
install_name
player.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 7 1748 wscript.exe 8 1748 wscript.exe 9 1748 wscript.exe 15 1748 wscript.exe 18 1748 wscript.exe 21 1748 wscript.exe 27 1748 wscript.exe 30 1748 wscript.exe 33 1748 wscript.exe 37 1748 wscript.exe 40 1748 wscript.exe 43 1748 wscript.exe 48 1748 wscript.exe 51 1748 wscript.exe 54 1748 wscript.exe 59 1748 wscript.exe 61 1748 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
New-Client.exeplayer.exepid process 1764 New-Client.exe 1692 player.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AML_Commpliance_pdf.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AML_Commpliance_pdf.js wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
New-Client.exepid process 1764 New-Client.exe 1764 New-Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXSCMTN53F = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AML_Commpliance_pdf.js\"" wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
player.exedescription pid process Token: SeDebugPrivilege 1692 player.exe Token: SeDebugPrivilege 1692 player.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exewscript.exeNew-Client.exedescription pid process target process PID 1748 wrote to memory of 1956 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1956 1748 wscript.exe wscript.exe PID 1748 wrote to memory of 1956 1748 wscript.exe wscript.exe PID 1956 wrote to memory of 1764 1956 wscript.exe New-Client.exe PID 1956 wrote to memory of 1764 1956 wscript.exe New-Client.exe PID 1956 wrote to memory of 1764 1956 wscript.exe New-Client.exe PID 1956 wrote to memory of 1764 1956 wscript.exe New-Client.exe PID 1748 wrote to memory of 568 1748 wscript.exe schtasks.exe PID 1748 wrote to memory of 568 1748 wscript.exe schtasks.exe PID 1748 wrote to memory of 568 1748 wscript.exe schtasks.exe PID 1764 wrote to memory of 1588 1764 New-Client.exe schtasks.exe PID 1764 wrote to memory of 1588 1764 New-Client.exe schtasks.exe PID 1764 wrote to memory of 1588 1764 New-Client.exe schtasks.exe PID 1764 wrote to memory of 1588 1764 New-Client.exe schtasks.exe PID 1764 wrote to memory of 1692 1764 New-Client.exe player.exe PID 1764 wrote to memory of 1692 1764 New-Client.exe player.exe PID 1764 wrote to memory of 1692 1764 New-Client.exe player.exe PID 1764 wrote to memory of 1692 1764 New-Client.exe player.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AML_Commpliance_pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jXZTZBjYZp.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\New-Client.exe"C:\Users\Admin\AppData\Roaming\New-Client.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\player.exe"C:\Users\Admin\AppData\Roaming\player.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\AML_Commpliance_pdf.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\New-Client.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
C:\Users\Admin\AppData\Roaming\New-Client.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
C:\Users\Admin\AppData\Roaming\jXZTZBjYZp.jsMD5
676c61e12789321127ee39d4f6040e6e
SHA1d28eb6214cc3b5659d758ac1f64c7ad0d9a1d0f5
SHA256c2ac77ca98d95ffa6ad11691c395bf22c564ab87f8dfad3211533a215b89d28b
SHA512439218663821587f1727d7b833dae0991b75ae9f0e5a0761c72984758b3f1750fdca7242f1f8d9626561c3eeab826892d190112b901b1f632df75c820f67e5f8
-
C:\Users\Admin\AppData\Roaming\player.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
C:\Users\Admin\AppData\Roaming\player.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
\Users\Admin\AppData\Roaming\player.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
\Users\Admin\AppData\Roaming\player.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
memory/568-68-0x0000000000000000-mapping.dmp
-
memory/1588-69-0x0000000000000000-mapping.dmp
-
memory/1692-72-0x0000000000000000-mapping.dmp
-
memory/1692-76-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1748-60-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmpFilesize
8KB
-
memory/1764-63-0x0000000000000000-mapping.dmp
-
memory/1764-66-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1764-67-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1956-61-0x0000000000000000-mapping.dmp