Analysis
-
max time kernel
97s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 12:56
Static task
static1
Behavioral task
behavioral1
Sample
Parcel receipt.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Parcel receipt.scr
Resource
win10v2004-20220414-en
General
-
Target
Parcel receipt.scr
-
Size
928KB
-
MD5
cce93b0317a848c601a12f2a3c3cd14f
-
SHA1
7f3bb0b8c36cbab52de216b69fe1ede97b1f6899
-
SHA256
7e1aedab87d6c23e82dd24f2a1975da18d252d5646365a5776a7f3089268c946
-
SHA512
f2977f53388a3145fc734cc6747b58a73a879247a6ab14495d96cea7b45531579bde773f5e6f0ed76dcac68903b9467d287421045f9cf507e4be332aa1d1aa78
Malware Config
Extracted
limerat
-
aes_key
123456789
-
antivm
false
-
c2_url
https://pastebin.com/raw/5cXHFyui
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
thaepnern.pifWservices.exepid process 1956 thaepnern.pif 1748 Wservices.exe -
Loads dropped DLL 5 IoCs
Processes:
Parcel receipt.scrRegSvcs.exepid process 864 Parcel receipt.scr 864 Parcel receipt.scr 864 Parcel receipt.scr 864 Parcel receipt.scr 1356 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
thaepnern.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run thaepnern.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\43486004\\THAEPN~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\43486004\\jvganwua.cvm" thaepnern.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
thaepnern.pifdescription pid process target process PID 1956 set thread context of 1356 1956 thaepnern.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
thaepnern.pifRegSvcs.exepid process 1956 thaepnern.pif 1956 thaepnern.pif 1956 thaepnern.pif 1956 thaepnern.pif 1956 thaepnern.pif 1956 thaepnern.pif 1956 thaepnern.pif 1356 RegSvcs.exe 1356 RegSvcs.exe 1356 RegSvcs.exe 1356 RegSvcs.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
Parcel receipt.scrthaepnern.pifRegSvcs.exedescription pid process target process PID 864 wrote to memory of 1956 864 Parcel receipt.scr thaepnern.pif PID 864 wrote to memory of 1956 864 Parcel receipt.scr thaepnern.pif PID 864 wrote to memory of 1956 864 Parcel receipt.scr thaepnern.pif PID 864 wrote to memory of 1956 864 Parcel receipt.scr thaepnern.pif PID 1956 wrote to memory of 1760 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1760 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1760 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1760 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 756 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 756 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 756 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 756 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1056 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1056 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1056 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1056 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 316 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 316 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 316 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 316 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 836 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 836 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 836 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 836 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1508 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1508 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1508 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1508 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1976 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1976 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1976 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1976 1956 thaepnern.pif mshta.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1956 wrote to memory of 1356 1956 thaepnern.pif RegSvcs.exe PID 1356 wrote to memory of 468 1356 RegSvcs.exe schtasks.exe PID 1356 wrote to memory of 468 1356 RegSvcs.exe schtasks.exe PID 1356 wrote to memory of 468 1356 RegSvcs.exe schtasks.exe PID 1356 wrote to memory of 468 1356 RegSvcs.exe schtasks.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe PID 1356 wrote to memory of 1748 1356 RegSvcs.exe Wservices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr"C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr" /S1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif"C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif" jvganwua.cvm2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1760
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:756
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1056
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:316
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:836
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1508
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"4⤵
- Creates scheduled task(s)
PID:468
-
-
C:\Users\Admin\AppData\Local\Temp\Wservices.exe"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"4⤵
- Executes dropped EXE
PID:1748
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
223.7MB
MD5fcdc76f4918415581833f1bcfbf8eb9a
SHA19b958e2999256a447684c34d2ca0aac61e703bf0
SHA256a06190f5bf841a6f100f32fe41f45e97e54213556683ce7d2ff2b034cd0e3b5d
SHA5124be535f2bb52bdca823ed40d2f44345e2e48dfd62793d70025b604c516f8de1edc2abf9111e501cf9c9dc60077d33717e1cae8e45163396d9ee2346176d84eef
-
Filesize
124KB
MD585be0fce2d73ebf5319916013d3cc913
SHA17a874685bf4619cfb0d6419587e6f27988710b61
SHA256d2bff3004f8f7e2f4718f15d2f403af932177dd18100e77645233bdbca2ef4fa
SHA51201b0268405bebd3d00b35302cec7092c97aa8ce9af1aa9ca291cf7281bc45ad234185a6f2f2ef3e87decf2d9e53fbfe33fe40daa271a8e7eea41eec5c005217f
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a