Analysis
-
max time kernel
72s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-11-2021 08:37
General
-
Target
2e45c3146bebd87ccef96e054374ea11.exe
-
Size
645KB
-
MD5
2e45c3146bebd87ccef96e054374ea11
-
SHA1
f2be6622242c311beb54f984c2fd85b865c2431c
-
SHA256
df6fa5b55c8196df0a53575cd26f5a7e53146899d41ab1a1a3acdb320f185d1f
-
SHA512
4277153eaea844fdcd1ab7920d290f7a877a2a46e6d71b5b962f445395e7c0299e859409fb52e96920bc31ab6d7ed2be81e69021c0145585984dc57c76469b51
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e45c3146bebd87ccef96e054374ea11.exe"C:\Users\Admin\AppData\Local\Temp\2e45c3146bebd87ccef96e054374ea11.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /C schtasks /create /f /st "20:49" /sc weekly /mo "28" /d "Thu" /tn "NvTmRep_CrashReport{NNLQXVLP}" /tr "'explorer'http://bit.ly/2rkW7gZ"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /st "20:49" /sc weekly /mo "28" /d "Thu" /tn "NvTmRep_CrashReport{NNLQXVLP}" /tr "'explorer'http://bit.ly/2rkW7gZ"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\security\wowreg32.exe"C:\Users\Admin\AppData\Roaming\security\wowreg32.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "15:00" /sc daily /mo "6" /tn "" /tr "'explorer'C_Settings.URL2"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "15:00" /sc daily /mo "2" /tn "" /tr "'explorer'C_Settings.URL1"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 440 -s 37563⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
8KB
-
Filesize
20KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
8KB