limerat | 55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0

Analysis

max time kernel
150s
max time network
146s
platform
windows10_x64
resource
win10-en-20210920
submitted
27-09-2021 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Size

616KB
MD5

2f79e1ce8c8dde93cf2664eab439b767
SHA1

b294ba2284d45bfdaa842dd133c6c07f73bdc42d
SHA256

55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0
SHA512

0e9ab1f5c65dc51054b81d2ab0b8fefbefbe9c8f0b06efb1c710421e1e875f60e81d1612a25e42ac4d60a189708efa238e036258a86b24c7d5470bf4a0d75a0f

Score

10^/10

limerat evasion rat

Malware Config

Extracted

Family

limerat

Wallets

bc1qe88ygu7xcv94gtk6wdnkhks5dpchwnvasjr4pf

Attributes

aes_key
lime
antivm
true
c2_url
https://pastebin.com/raw/d2wuKbQW
delay
4
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Loads dropped DLL 2 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

pid process

1084 3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084 3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	pid	process	target process
PID 2208 set thread context of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1264 schtasks.exe

pid	process
1264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

pid	process
2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrpowershell.exe3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

description	pid	process
Token: SeDebugPrivilege	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
Token: SeDebugPrivilege	1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scrvbc.exe

description	pid	process	target process
PID 2208 wrote to memory of 3496	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 2208 wrote to memory of 3496	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 2208 wrote to memory of 3496	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	powershell.exe
PID 2208 wrote to memory of 1264	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 2208 wrote to memory of 1264	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 2208 wrote to memory of 1264	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	schtasks.exe
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 2208 wrote to memory of 1084	2208	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
PID 1084 wrote to memory of 3748	1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	vbc.exe
PID 1084 wrote to memory of 3748	1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	vbc.exe
PID 1084 wrote to memory of 3748	1084	3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr	vbc.exe
PID 3748 wrote to memory of 3780	3748	vbc.exe	cvtres.exe
PID 3748 wrote to memory of 3780	3748	vbc.exe	cvtres.exe
PID 3748 wrote to memory of 3780	3748	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
"C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr" /S
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJUgiYbHhTGrD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2655.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
  "C:\Users\Admin\AppData\Local\Temp\3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxdot5co\cxdot5co.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA341.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7522294778504183A36AE0692DC0311A.TMP"
      4⤵
      PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA341.tmp

MD5
e1d519f4cbce8f0cd351fbde76f83565

SHA1
1f0790583d545130d944b7ee03889515289ca49b

SHA256
76123b5acc5a013a0338866a55b4fb34b1b620cfc8ba97087354236f922fd855

SHA512
678b101c986cdec5853776aa0d4d1f29a13a5cedd3b71a26529ac153970acb1f1c07bbd2495c3027c6f83f2733222d120e2ea9306a427a44894f9db8859980c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxdot5co\cxdot5co.0.vb

MD5
ff2148c1ea2773c2d088e4c16d322228

SHA1
4b0d0281a41cd61e488e0fc2f6fb014cbedd5c37

SHA256
372cb767933a0a72105932460a53ece1dfe2253edebc8677b33d806a5fc2a4f1

SHA512
c8dcb684394ace4caec727ebe94a1a6fdc5f2ab6a85a6ce9d3dba87b0952bfac9bdfb0d35829e3988b9e59a91332c971ac337a53482d62ee33124c1aa569e225

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxdot5co\cxdot5co.cmdline

MD5
e099509f9ce12b96e8bc2b7dc332e6a4

SHA1
3ceb2ce7cf2d5056c887d56010b9e28d0ca145c1

SHA256
2036af70b5c5988f903d66b6deab594f435664f14c981ca48af9092f88f4210b

SHA512
99c4b10417fa9e9a1e1ecb4568bd3c3625f4b47e598b17938b1fcb95493f7c0013f2338edcbb5684ae8a07ebb55d4b4d92e8196e058fcf7c8c3749641aad82fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7522294778504183A36AE0692DC0311A.TMP

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
\Users\Admin\AppData\Local\Temp\IconLib.dll

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\AppData\Local\Temp\IconLib.dll

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
memory/1084-390-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1084-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1084-386-0x0000000007A50000-0x0000000007A68000-memory.dmp

Filesize
96KB

Download
memory/1084-387-0x0000000007A70000-0x0000000007A8E000-memory.dmp

Filesize
120KB

Download
memory/1084-133-0x0000000000408DCE-mapping.dmp

Download
memory/1084-368-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/1264-131-0x0000000000000000-mapping.dmp

Download
memory/2208-123-0x00000000087A0000-0x00000000087D9000-memory.dmp

Filesize
228KB

Download
memory/2208-115-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/2208-124-0x0000000007F60000-0x0000000007F6A000-memory.dmp

Filesize
40KB

Download
memory/2208-118-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/2208-117-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2208-120-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/2208-122-0x0000000007DD0000-0x0000000007DED000-memory.dmp

Filesize
116KB

Download
memory/2208-121-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/2208-126-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/2208-119-0x0000000007AC0000-0x0000000007FBE000-memory.dmp

Filesize
5.0MB

Download
memory/3496-129-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/3496-143-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/3496-165-0x0000000008B10000-0x0000000008B11000-memory.dmp

Filesize
4KB

Download
memory/3496-166-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/3496-168-0x000000007EB10000-0x000000007EB11000-memory.dmp

Filesize
4KB

Download
memory/3496-170-0x0000000006883000-0x0000000006884000-memory.dmp

Filesize
4KB

Download
memory/3496-362-0x0000000008DF0000-0x0000000008DF1000-memory.dmp

Filesize
4KB

Download
memory/3496-153-0x0000000008920000-0x0000000008953000-memory.dmp

Filesize
204KB

Download
memory/3496-369-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/3496-145-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/3496-144-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3496-160-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/3496-142-0x0000000006882000-0x0000000006883000-memory.dmp

Filesize
4KB

Download
memory/3496-141-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/3496-125-0x0000000000000000-mapping.dmp

Download
memory/3496-140-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/3496-137-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/3496-135-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/3496-130-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/3748-392-0x0000000000000000-mapping.dmp

Download
memory/3748-399-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3780-396-0x0000000000000000-mapping.dmp

Download