Malware Analysis Report

2024-11-16 13:10

Sample ID 220520-p6hnvsfeem
Target 790ab1b252798c464c4b472d45fbb8063e0f29008ba7273b515c14597dbfa17a
SHA256 790ab1b252798c464c4b472d45fbb8063e0f29008ba7273b515c14597dbfa17a
Tags
limerat evasion persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

790ab1b252798c464c4b472d45fbb8063e0f29008ba7273b515c14597dbfa17a

Threat Level: Known bad

The file 790ab1b252798c464c4b472d45fbb8063e0f29008ba7273b515c14597dbfa17a was found to be: Known bad.

Malicious Activity Summary

limerat evasion persistence rat

LimeRAT

Executes dropped EXE

Disables Task Manager via registry modification

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-20 12:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 12:56

Reported

2022-05-20 13:00

Platform

win7-20220414-en

Max time kernel

97s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr" /S

Signatures

LimeRAT

rat limerat

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\43486004\\THAEPN~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\43486004\\jvganwua.cvm" C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 864 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 864 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 864 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 1956 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1956 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1356 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 468 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1356 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr

"C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr" /S

C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

"C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif" jvganwua.cvm

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"

Network

N/A

Files

memory/864-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

memory/1956-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

C:\Users\Admin\AppData\Roaming\43486004\jvganwua.cvm

MD5 fcdc76f4918415581833f1bcfbf8eb9a
SHA1 9b958e2999256a447684c34d2ca0aac61e703bf0
SHA256 a06190f5bf841a6f100f32fe41f45e97e54213556683ce7d2ff2b034cd0e3b5d
SHA512 4be535f2bb52bdca823ed40d2f44345e2e48dfd62793d70025b604c516f8de1edc2abf9111e501cf9c9dc60077d33717e1cae8e45163396d9ee2346176d84eef

C:\Users\Admin\AppData\Roaming\43486004\ssvklbb.ppt

MD5 85be0fce2d73ebf5319916013d3cc913
SHA1 7a874685bf4619cfb0d6419587e6f27988710b61
SHA256 d2bff3004f8f7e2f4718f15d2f403af932177dd18100e77645233bdbca2ef4fa
SHA512 01b0268405bebd3d00b35302cec7092c97aa8ce9af1aa9ca291cf7281bc45ad234185a6f2f2ef3e87decf2d9e53fbfe33fe40daa271a8e7eea41eec5c005217f

memory/1760-64-0x0000000000000000-mapping.dmp

memory/756-65-0x0000000000000000-mapping.dmp

memory/1056-66-0x0000000000000000-mapping.dmp

memory/316-67-0x0000000000000000-mapping.dmp

memory/836-68-0x0000000000000000-mapping.dmp

memory/1508-69-0x0000000000000000-mapping.dmp

memory/1976-70-0x0000000000000000-mapping.dmp

memory/1356-71-0x00000000002F0000-0x000000000095C000-memory.dmp

memory/1356-74-0x00000000002F8CCE-mapping.dmp

memory/1356-73-0x00000000002F0000-0x000000000095C000-memory.dmp

memory/1356-76-0x00000000002F0000-0x000000000095C000-memory.dmp

memory/1356-78-0x00000000002F0000-0x000000000095C000-memory.dmp

memory/1356-79-0x00000000002F0000-0x00000000002FC000-memory.dmp

memory/468-80-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1748-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1748-86-0x0000000000F30000-0x0000000000F3E000-memory.dmp

memory/1748-87-0x00000000003B0000-0x00000000003D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 12:56

Reported

2022-05-20 13:02

Platform

win10v2004-20220414-en

Max time kernel

227s

Max time network

241s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr" /S

Signatures

LimeRAT

rat limerat

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\43486004\\THAEPN~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\43486004\\jvganwua.cvm" C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4884 set thread context of 3196 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 4928 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 4928 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif
PID 4884 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\SysWOW64\mshta.exe
PID 4884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4884 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3196 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 4956 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3196 wrote to memory of 3336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 3196 wrote to memory of 3336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 3196 wrote to memory of 3336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr

"C:\Users\Admin\AppData\Local\Temp\Parcel receipt.scr" /S

C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

"C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif" jvganwua.cvm

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"

Network

Country Destination Domain Proto
IE 20.50.73.9:443 tcp
BE 8.238.110.126:80 tcp
US 204.79.197.203:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/4884-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

C:\Users\Admin\AppData\Roaming\43486004\thaepnern.pif

MD5 d3ffbde7ea1bcb2d0a6e6e12b0306625
SHA1 d8725bc8fdd1d5a5e7b9615dcd424bc9aa7322ff
SHA256 59e9d4edac6322ecfa53762dfaa541b2e6d7c3b0b9c6885fd7e0c3e18a38e14d
SHA512 70660fa375400b08610544b323dc7eb0f8258eda57822d1554f0811447a8e5fa0911e451a9a247a85a661cd5f7de8d6805e79617e62d5234bdf78e08b76b254a

C:\Users\Admin\AppData\Roaming\43486004\jvganwua.cvm

MD5 fcdc76f4918415581833f1bcfbf8eb9a
SHA1 9b958e2999256a447684c34d2ca0aac61e703bf0
SHA256 a06190f5bf841a6f100f32fe41f45e97e54213556683ce7d2ff2b034cd0e3b5d
SHA512 4be535f2bb52bdca823ed40d2f44345e2e48dfd62793d70025b604c516f8de1edc2abf9111e501cf9c9dc60077d33717e1cae8e45163396d9ee2346176d84eef

C:\Users\Admin\AppData\Roaming\43486004\ssvklbb.ppt

MD5 85be0fce2d73ebf5319916013d3cc913
SHA1 7a874685bf4619cfb0d6419587e6f27988710b61
SHA256 d2bff3004f8f7e2f4718f15d2f403af932177dd18100e77645233bdbca2ef4fa
SHA512 01b0268405bebd3d00b35302cec7092c97aa8ce9af1aa9ca291cf7281bc45ad234185a6f2f2ef3e87decf2d9e53fbfe33fe40daa271a8e7eea41eec5c005217f

memory/3476-135-0x0000000000000000-mapping.dmp

memory/2764-136-0x0000000000000000-mapping.dmp

memory/5096-137-0x0000000000000000-mapping.dmp

memory/1432-138-0x0000000000000000-mapping.dmp

memory/212-139-0x0000000000000000-mapping.dmp

memory/1688-140-0x0000000000000000-mapping.dmp

memory/3212-141-0x0000000000000000-mapping.dmp

memory/3196-142-0x0000000001100000-0x00000000016A8000-memory.dmp

memory/3196-143-0x0000000001108CCE-mapping.dmp

memory/3196-144-0x0000000001100000-0x000000000110C000-memory.dmp

memory/3196-145-0x0000000005E50000-0x0000000005EEC000-memory.dmp

memory/3196-146-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/3196-147-0x0000000006A50000-0x0000000006FF4000-memory.dmp

memory/4956-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/3336-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/3336-153-0x00000000053D0000-0x000000000540C000-memory.dmp

memory/3336-152-0x0000000000C10000-0x0000000000C1E000-memory.dmp