Malware Analysis Report

2024-11-16 13:10

Sample ID 220520-p647vscfc5
Target edb31b7d2d275a69de5a06ccfed47cd8ebea043e1fe982afe206647c22e252ac
SHA256 edb31b7d2d275a69de5a06ccfed47cd8ebea043e1fe982afe206647c22e252ac
Tags
limerat evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edb31b7d2d275a69de5a06ccfed47cd8ebea043e1fe982afe206647c22e252ac

Threat Level: Known bad

The file edb31b7d2d275a69de5a06ccfed47cd8ebea043e1fe982afe206647c22e252ac was found to be: Known bad.

Malicious Activity Summary

limerat evasion persistence rat

LimeRAT

Disables Task Manager via registry modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-20 12:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 12:57

Reported

2022-05-20 13:01

Platform

win7-20220414-en

Max time kernel

111s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Scan 001.exe"

Signatures

LimeRAT

rat limerat

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\68108315\uepa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\68108315\uepa.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\68108315\\uepa.pif C:\\Users\\Admin\\68108315\\ggilu.kdb" C:\Users\Admin\68108315\uepa.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1604 set thread context of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 800 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 800 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 800 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 1604 wrote to memory of 572 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 572 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 572 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 572 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1388 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1388 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1388 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1388 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1156 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1156 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1156 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1156 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 620 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 620 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 620 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 620 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1644 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1644 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1644 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1644 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 896 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 896 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 896 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 896 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1592 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1592 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1592 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1592 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1604 wrote to memory of 1748 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1748 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1748 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Scan 001.exe

"C:\Users\Admin\AppData\Local\Temp\Scan 001.exe"

C:\Users\Admin\68108315\uepa.pif

"C:\Users\Admin\68108315\uepa.pif" ggilu.kdb

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"

Network

N/A

Files

memory/800-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

memory/1604-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

C:\Users\Admin\68108315\ggilu.kdb

MD5 a4c0acbd75471d3b6969e81d6d9ce6e2
SHA1 13fe2ca0e1f65509142689d311328190f84f78d9
SHA256 8c4eff95e53c7d5358740ebddf1f2ab710bf6edaff7474303b2f5b5f27c76105
SHA512 e38b3a9bb8c5343183b66b0dfe581f3297aab004ac73425f5e77448af1bab0e0d990430855140d846d38641a06f5e5007aede7e63e81207428174c900d384bae

C:\Users\Admin\68108315\kivddcmfwg.jpg

MD5 5c9b742a88475c55b8aa557526fa382a
SHA1 e2cdc4dd9a79ef514f010391a82ec1374b26156f
SHA256 444ea59d80a254592ebbf261fa0a5078d42746a7e76be10f072a41252a47601b
SHA512 8b2a601be5168d98b818c02dac2ee9616c69ddfdaf28a75d4420f8ee8c94aef7e02660d9bc5b388b640be1acd5d2fe04113c0bb97be3b3f6399da9f4daa2df9a

memory/572-64-0x0000000000000000-mapping.dmp

memory/1388-65-0x0000000000000000-mapping.dmp

memory/1156-66-0x0000000000000000-mapping.dmp

memory/620-67-0x0000000000000000-mapping.dmp

memory/1644-68-0x0000000000000000-mapping.dmp

memory/896-69-0x0000000000000000-mapping.dmp

memory/1592-70-0x0000000000000000-mapping.dmp

memory/1748-71-0x0000000000360000-0x000000000095A000-memory.dmp

memory/1748-73-0x0000000000360000-0x000000000095A000-memory.dmp

memory/1748-74-0x0000000000368CCE-mapping.dmp

memory/1748-76-0x0000000000360000-0x000000000095A000-memory.dmp

memory/1748-78-0x0000000000360000-0x000000000095A000-memory.dmp

memory/1748-79-0x0000000000360000-0x000000000036C000-memory.dmp

memory/1104-80-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/924-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/924-86-0x0000000000F00000-0x0000000000F0E000-memory.dmp

memory/924-87-0x0000000000350000-0x0000000000370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 12:57

Reported

2022-05-20 13:02

Platform

win10v2004-20220414-en

Max time kernel

184s

Max time network

242s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Scan 001.exe"

Signatures

LimeRAT

rat limerat

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\68108315\uepa.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Scan 001.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\68108315\uepa.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\68108315\uepa.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\68108315\\uepa.pif C:\\Users\\Admin\\68108315\\ggilu.kdb" C:\Users\Admin\68108315\uepa.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3600 set thread context of 3652 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 976 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 976 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Scan 001.exe C:\Users\Admin\68108315\uepa.pif
PID 3600 wrote to memory of 3928 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 3928 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 3928 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 4928 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 4928 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 4928 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 2684 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 2684 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 2684 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 2332 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 2332 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 2332 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 3524 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 3524 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 3524 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 4268 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 4268 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 4268 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 1556 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 1556 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 1556 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\SysWOW64\mshta.exe
PID 3600 wrote to memory of 3652 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3600 wrote to memory of 3652 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3600 wrote to memory of 3652 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3600 wrote to memory of 3652 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3600 wrote to memory of 3652 N/A C:\Users\Admin\68108315\uepa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3652 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3652 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 3652 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 3652 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Scan 001.exe

"C:\Users\Admin\AppData\Local\Temp\Scan 001.exe"

C:\Users\Admin\68108315\uepa.pif

"C:\Users\Admin\68108315\uepa.pif" ggilu.kdb

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"

Network

Country Destination Domain Proto
NL 8.248.1.254:80 tcp
US 52.168.112.67:443 tcp
IE 20.54.110.249:443 tcp
NL 20.190.160.73:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.136:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.6:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.8:443 tcp
NL 20.190.160.8:443 tcp

Files

memory/3600-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

C:\Users\Admin\68108315\uepa.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

C:\Users\Admin\68108315\ggilu.kdb

MD5 a4c0acbd75471d3b6969e81d6d9ce6e2
SHA1 13fe2ca0e1f65509142689d311328190f84f78d9
SHA256 8c4eff95e53c7d5358740ebddf1f2ab710bf6edaff7474303b2f5b5f27c76105
SHA512 e38b3a9bb8c5343183b66b0dfe581f3297aab004ac73425f5e77448af1bab0e0d990430855140d846d38641a06f5e5007aede7e63e81207428174c900d384bae

C:\Users\Admin\68108315\kivddcmfwg.jpg

MD5 5c9b742a88475c55b8aa557526fa382a
SHA1 e2cdc4dd9a79ef514f010391a82ec1374b26156f
SHA256 444ea59d80a254592ebbf261fa0a5078d42746a7e76be10f072a41252a47601b
SHA512 8b2a601be5168d98b818c02dac2ee9616c69ddfdaf28a75d4420f8ee8c94aef7e02660d9bc5b388b640be1acd5d2fe04113c0bb97be3b3f6399da9f4daa2df9a

memory/3928-135-0x0000000000000000-mapping.dmp

memory/4928-136-0x0000000000000000-mapping.dmp

memory/2684-137-0x0000000000000000-mapping.dmp

memory/2332-138-0x0000000000000000-mapping.dmp

memory/3524-139-0x0000000000000000-mapping.dmp

memory/4268-140-0x0000000000000000-mapping.dmp

memory/1556-141-0x0000000000000000-mapping.dmp

memory/3652-143-0x0000000001128CCE-mapping.dmp

memory/3652-142-0x0000000001120000-0x00000000017E8000-memory.dmp

memory/3652-144-0x0000000001120000-0x000000000112C000-memory.dmp

memory/3652-145-0x0000000005F20000-0x0000000005FBC000-memory.dmp

memory/3652-146-0x0000000005FC0000-0x0000000006026000-memory.dmp

memory/3652-147-0x0000000006BD0000-0x0000000007174000-memory.dmp

memory/2944-148-0x0000000000000000-mapping.dmp

memory/5032-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/5032-152-0x0000000000D70000-0x0000000000D7E000-memory.dmp

memory/5032-153-0x0000000005540000-0x000000000557C000-memory.dmp