Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-08-2021 13:41
Static task
static1
Behavioral task
behavioral1
Sample
AML_Commpliance_pdf.js
Resource
win7v20210410
General
-
Target
AML_Commpliance_pdf.js
-
Size
111KB
-
MD5
f41c8229b3c54c3ff51191372d9cb790
-
SHA1
c4d57e6f2b94060a94c4f84863a597c2ef58651d
-
SHA256
61b69d2a4ca9404f1a5b73fac4790b0a41c7c7f766ba90d5a459612b629bf9b1
-
SHA512
df6fd5888700d5acc5988821087c7a304e1ceff914320342dd1393f0366c6995828ffd9a82a36b029452215815fdb42e7c7aa9972ef16099fec7d7926a5f6c11
Malware Config
Extracted
limerat
1Cs8MjxkXtYwkDKypg8i1Vj5nzhANpgC6y
-
aes_key
2249
-
antivm
false
-
c2_url
https://pastebin.com/raw/G9wX4J5m
-
delay
8
-
download_payload
false
-
install
true
-
install_name
player.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 8 3988 wscript.exe 15 3988 wscript.exe 18 3988 wscript.exe 19 3988 wscript.exe 24 3988 wscript.exe 28 3988 wscript.exe 31 3988 wscript.exe 35 3988 wscript.exe 38 3988 wscript.exe 41 3988 wscript.exe 44 3988 wscript.exe 48 3988 wscript.exe 51 3988 wscript.exe 54 3988 wscript.exe 60 3988 wscript.exe 64 3988 wscript.exe 68 3988 wscript.exe 74 3988 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
New-Client.exeplayer.exepid process 2356 New-Client.exe 3992 player.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AML_Commpliance_pdf.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AML_Commpliance_pdf.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXSCMTN53F = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AML_Commpliance_pdf.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2752 schtasks.exe 1408 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
player.exedescription pid process Token: SeDebugPrivilege 3992 player.exe Token: SeDebugPrivilege 3992 player.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
wscript.exewscript.exeNew-Client.exedescription pid process target process PID 3988 wrote to memory of 3336 3988 wscript.exe wscript.exe PID 3988 wrote to memory of 3336 3988 wscript.exe wscript.exe PID 3988 wrote to memory of 2752 3988 wscript.exe schtasks.exe PID 3988 wrote to memory of 2752 3988 wscript.exe schtasks.exe PID 3336 wrote to memory of 2356 3336 wscript.exe New-Client.exe PID 3336 wrote to memory of 2356 3336 wscript.exe New-Client.exe PID 3336 wrote to memory of 2356 3336 wscript.exe New-Client.exe PID 2356 wrote to memory of 1408 2356 New-Client.exe schtasks.exe PID 2356 wrote to memory of 1408 2356 New-Client.exe schtasks.exe PID 2356 wrote to memory of 1408 2356 New-Client.exe schtasks.exe PID 2356 wrote to memory of 3992 2356 New-Client.exe player.exe PID 2356 wrote to memory of 3992 2356 New-Client.exe player.exe PID 2356 wrote to memory of 3992 2356 New-Client.exe player.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\AML_Commpliance_pdf.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jXZTZBjYZp.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\New-Client.exe"C:\Users\Admin\AppData\Roaming\New-Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\player.exe"C:\Users\Admin\AppData\Roaming\player.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Local\Temp\AML_Commpliance_pdf.js2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\New-Client.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
C:\Users\Admin\AppData\Roaming\New-Client.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
C:\Users\Admin\AppData\Roaming\jXZTZBjYZp.jsMD5
676c61e12789321127ee39d4f6040e6e
SHA1d28eb6214cc3b5659d758ac1f64c7ad0d9a1d0f5
SHA256c2ac77ca98d95ffa6ad11691c395bf22c564ab87f8dfad3211533a215b89d28b
SHA512439218663821587f1727d7b833dae0991b75ae9f0e5a0761c72984758b3f1750fdca7242f1f8d9626561c3eeab826892d190112b901b1f632df75c820f67e5f8
-
C:\Users\Admin\AppData\Roaming\player.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
C:\Users\Admin\AppData\Roaming\player.exeMD5
1ad564a6ca1520e8886faffc4e0ff1d4
SHA17d3b61daef1afed73838351dbf788448cf88d031
SHA2562c3a771c2ecbd58409c3f348220c5d9419901e882c61531b68e07b80eb0d3df4
SHA512b54d6cb92876546c38503e5e673d765f2e323246f5adbaefa83cdc62af6a462d117d3dc183666f902a84575590aa02f94d9997e7783e6f99050c57a710fab441
-
memory/1408-121-0x0000000000000000-mapping.dmp
-
memory/2356-117-0x0000000000000000-mapping.dmp
-
memory/2356-120-0x0000000002CA0000-0x0000000002CA1000-memory.dmpFilesize
4KB
-
memory/2752-116-0x0000000000000000-mapping.dmp
-
memory/3336-114-0x0000000000000000-mapping.dmp
-
memory/3992-122-0x0000000000000000-mapping.dmp
-
memory/3992-125-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB