Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:46
Static task
static1
Behavioral task
behavioral1
Sample
masarati.exe
Resource
win7-20220414-en
General
-
Target
masarati.exe
-
Size
28KB
-
MD5
e7e752581b91e5bf2eccb44298128ec5
-
SHA1
e321813c52ec62ebadce88cf8afaea4415186129
-
SHA256
4adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
-
SHA512
2681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82
Malware Config
Extracted
limerat
12abaLRKG8Mg2F6V5jU3ek8FgMopZd9KEg
-
aes_key
4
-
antivm
true
-
c2_url
https://pastebin.com/raw/uSLpq9XN
-
delay
5
-
download_payload
false
-
install
true
-
install_name
officework.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
officework.exepid process 736 officework.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
masarati.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation masarati.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
officework.exemasarati.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 officework.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum masarati.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 masarati.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum officework.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
officework.exedescription pid process Token: SeDebugPrivilege 736 officework.exe Token: SeDebugPrivilege 736 officework.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
masarati.exedescription pid process target process PID 2420 wrote to memory of 4144 2420 masarati.exe schtasks.exe PID 2420 wrote to memory of 4144 2420 masarati.exe schtasks.exe PID 2420 wrote to memory of 4144 2420 masarati.exe schtasks.exe PID 2420 wrote to memory of 736 2420 masarati.exe officework.exe PID 2420 wrote to memory of 736 2420 masarati.exe officework.exe PID 2420 wrote to memory of 736 2420 masarati.exe officework.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\masarati.exe"C:\Users\Admin\AppData\Local\Temp\masarati.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\officework.exe'"2⤵
- Creates scheduled task(s)
PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\officework.exe"C:\Users\Admin\AppData\Local\Temp\officework.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:736
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5e7e752581b91e5bf2eccb44298128ec5
SHA1e321813c52ec62ebadce88cf8afaea4415186129
SHA2564adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
SHA5122681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82
-
Filesize
28KB
MD5e7e752581b91e5bf2eccb44298128ec5
SHA1e321813c52ec62ebadce88cf8afaea4415186129
SHA2564adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
SHA5122681a39b47f8620cef044b4a8336fb3e9f1261ab595b540746aabc5eba26b238c5c11383d2d3b829d56d5279e78587e68e7875a585e702fba57b35719e6c4e82