Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:50
Static task
static1
Behavioral task
behavioral1
Sample
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe
Resource
win7-20220414-en
General
-
Target
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe
-
Size
845KB
-
MD5
c29b3a45fa82325fc62f03f2da1e2975
-
SHA1
2655cc45ccabc43db6791cd57080b1be3a84a775
-
SHA256
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0
-
SHA512
5baaaef6460890762441cbad946031809f2754b8fea363ed0a90267cb0a026ffdb9d686d51cd96010c6d7d82b8f9e2755eff9903c61cb0bc79d04fdb90bbf6ae
Malware Config
Extracted
limerat
-
aes_key
NYANCAT
-
antivm
false
-
c2_url
https://pastebin.com/raw/RScXPXsx
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Server.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Mail-Server\
-
usb_spread
false
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedescription pid process target process PID 3048 set thread context of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exepid process 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedw20.exeab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedescription pid process Token: SeDebugPrivilege 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe Token: SeBackupPrivilege 4180 dw20.exe Token: SeBackupPrivilege 4180 dw20.exe Token: SeDebugPrivilege 4752 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe Token: SeDebugPrivilege 4752 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exedescription pid process target process PID 3048 wrote to memory of 1728 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe schtasks.exe PID 3048 wrote to memory of 1728 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe schtasks.exe PID 3048 wrote to memory of 1728 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe schtasks.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4752 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe PID 3048 wrote to memory of 4180 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe dw20.exe PID 3048 wrote to memory of 4180 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe dw20.exe PID 3048 wrote to memory of 4180 3048 ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe"C:\Users\Admin\AppData\Local\Temp\ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KuDIkpeai" /XML "C:\Users\Admin\AppData\Local\Temp\tmp826E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe"C:\Users\Admin\AppData\Local\Temp\ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 18242⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp826E.tmpFilesize
1KB
MD533068b7af198af0e057f4a38790bc333
SHA1dc2b412806a90777559f5334f570a228ea57cdac
SHA2566c281c431fd69bf4227b55086e62eeb45242a223e97807021b62b4039c167820
SHA51207a9bebd16bdbafb8df758fc7ffbaa88c67530653a00d3b333ad1602254897e52cef0e08c724e554d3fbd6ee884a3d9445aa72be760fb7498c3889ff4398441e
-
memory/1728-131-0x0000000000000000-mapping.dmp
-
memory/3048-130-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB
-
memory/4180-135-0x0000000000000000-mapping.dmp
-
memory/4752-133-0x0000000000000000-mapping.dmp
-
memory/4752-134-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4752-136-0x0000000074B30000-0x00000000750E1000-memory.dmpFilesize
5.7MB