Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:46
Static task
static1
Behavioral task
behavioral1
Sample
masarati.exe
Resource
win7-20220414-en
General
-
Target
masarati.exe
-
Size
28KB
-
MD5
e7e752581b91e5bf2eccb44298128ec5
-
SHA1
e321813c52ec62ebadce88cf8afaea4415186129
-
SHA256
4adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
-
SHA512
2681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82
Malware Config
Extracted
limerat
12abaLRKG8Mg2F6V5jU3ek8FgMopZd9KEg
-
aes_key
4
-
antivm
true
-
c2_url
https://pastebin.com/raw/uSLpq9XN
-
delay
5
-
download_payload
false
-
install
true
-
install_name
officework.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
officework.exepid process 844 officework.exe -
Loads dropped DLL 2 IoCs
Processes:
masarati.exepid process 336 masarati.exe 336 masarati.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
masarati.exeofficework.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum masarati.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 masarati.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum officework.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 officework.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
officework.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 officework.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 officework.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
officework.exedescription pid process Token: SeDebugPrivilege 844 officework.exe Token: SeDebugPrivilege 844 officework.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
masarati.exedescription pid process target process PID 336 wrote to memory of 2004 336 masarati.exe schtasks.exe PID 336 wrote to memory of 2004 336 masarati.exe schtasks.exe PID 336 wrote to memory of 2004 336 masarati.exe schtasks.exe PID 336 wrote to memory of 2004 336 masarati.exe schtasks.exe PID 336 wrote to memory of 844 336 masarati.exe officework.exe PID 336 wrote to memory of 844 336 masarati.exe officework.exe PID 336 wrote to memory of 844 336 masarati.exe officework.exe PID 336 wrote to memory of 844 336 masarati.exe officework.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\masarati.exe"C:\Users\Admin\AppData\Local\Temp\masarati.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\officework.exe'"2⤵
- Creates scheduled task(s)
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\officework.exe"C:\Users\Admin\AppData\Local\Temp\officework.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:844
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5e7e752581b91e5bf2eccb44298128ec5
SHA1e321813c52ec62ebadce88cf8afaea4415186129
SHA2564adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
SHA5122681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82
-
Filesize
28KB
MD5e7e752581b91e5bf2eccb44298128ec5
SHA1e321813c52ec62ebadce88cf8afaea4415186129
SHA2564adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
SHA5122681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82
-
Filesize
28KB
MD5e7e752581b91e5bf2eccb44298128ec5
SHA1e321813c52ec62ebadce88cf8afaea4415186129
SHA2564adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
SHA5122681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82
-
Filesize
28KB
MD5e7e752581b91e5bf2eccb44298128ec5
SHA1e321813c52ec62ebadce88cf8afaea4415186129
SHA2564adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
SHA5122681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82