Analysis
-
max time kernel
227s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 12:56
Static task
static1
Behavioral task
behavioral1
Sample
Parcel receipt.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Parcel receipt.scr
Resource
win10v2004-20220414-en
General
-
Target
Parcel receipt.scr
-
Size
928KB
-
MD5
cce93b0317a848c601a12f2a3c3cd14f
-
SHA1
7f3bb0b8c36cbab52de216b69fe1ede97b1f6899
-
SHA256
7e1aedab87d6c23e82dd24f2a1975da18d252d5646365a5776a7f3089268c946
-
SHA512
f2977f53388a3145fc734cc6747b58a73a879247a6ab14495d96cea7b45531579bde773f5e6f0ed76dcac68903b9467d287421045f9cf507e4be332aa1d1aa78
Malware Config
Extracted
limerat
-
aes_key
123456789
-
antivm
false
-
c2_url
https://pastebin.com/raw/5cXHFyui
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
thaepnern.pifWservices.exepid process 4884 thaepnern.pif 3336 Wservices.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Parcel receipt.scrthaepnern.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Parcel receipt.scr Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation thaepnern.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
thaepnern.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run thaepnern.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\43486004\\THAEPN~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\43486004\\jvganwua.cvm" thaepnern.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
thaepnern.pifdescription pid process target process PID 4884 set thread context of 3196 4884 thaepnern.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
thaepnern.pifRegSvcs.exepid process 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 4884 thaepnern.pif 3196 RegSvcs.exe 3196 RegSvcs.exe 3196 RegSvcs.exe 3196 RegSvcs.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Parcel receipt.scrthaepnern.pifRegSvcs.exedescription pid process target process PID 4928 wrote to memory of 4884 4928 Parcel receipt.scr thaepnern.pif PID 4928 wrote to memory of 4884 4928 Parcel receipt.scr thaepnern.pif PID 4928 wrote to memory of 4884 4928 Parcel receipt.scr thaepnern.pif PID 4884 wrote to memory of 3476 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 3476 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 3476 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 2764 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 2764 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 2764 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 5096 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 5096 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 5096 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 1432 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 1432 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 1432 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 212 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 212 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 212 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 1688 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 1688 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 1688 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 3212 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 3212 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 3212 4884 thaepnern.pif mshta.exe PID 4884 wrote to memory of 3196 4884 thaepnern.pif RegSvcs.exe PID 4884 wrote to memory of 3196 4884 thaepnern.pif RegSvcs.exe PID 4884 wrote to memory of 3196 4884 thaepnern.pif RegSvcs.exe PID 4884 wrote to memory of 3196 4884 thaepnern.pif RegSvcs.exe PID 4884 wrote to memory of 3196 4884 thaepnern.pif RegSvcs.exe PID 3196 wrote to memory of 4956 3196 RegSvcs.exe schtasks.exe PID 3196 wrote to memory of 4956 3196 RegSvcs.exe schtasks.exe PID 3196 wrote to memory of 4956 3196 RegSvcs.exe schtasks.exe PID 3196 wrote to memory of 3336 3196 RegSvcs.exe Wservices.exe PID 3196 wrote to memory of 3336 3196 RegSvcs.exe Wservices.exe PID 3196 wrote to memory of 3336 3196 RegSvcs.exe Wservices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr"C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr" /S1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif"C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif" jvganwua.cvm2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:3476
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:2764
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:5096
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1432
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:212
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1688
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:3212
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"4⤵
- Creates scheduled task(s)
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\Wservices.exe"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"4⤵
- Executes dropped EXE
PID:3336
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
223.7MB
MD5fcdc76f4918415581833f1bcfbf8eb9a
SHA19b958e2999256a447684c34d2ca0aac61e703bf0
SHA256a06190f5bf841a6f100f32fe41f45e97e54213556683ce7d2ff2b034cd0e3b5d
SHA5124be535f2bb52bdca823ed40d2f44345e2e48dfd62793d70025b604c516f8de1edc2abf9111e501cf9c9dc60077d33717e1cae8e45163396d9ee2346176d84eef
-
Filesize
124KB
MD585be0fce2d73ebf5319916013d3cc913
SHA17a874685bf4619cfb0d6419587e6f27988710b61
SHA256d2bff3004f8f7e2f4718f15d2f403af932177dd18100e77645233bdbca2ef4fa
SHA51201b0268405bebd3d00b35302cec7092c97aa8ce9af1aa9ca291cf7281bc45ad234185a6f2f2ef3e87decf2d9e53fbfe33fe40daa271a8e7eea41eec5c005217f
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a
-
Filesize
646KB
MD5d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA25659e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA51270660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a