Analysis Overview
SHA256
91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5
Threat Level: Known bad
The file 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 was found to be: Known bad.
Malicious Activity Summary
Limerat family
LimeRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 00:11
Signatures
Limerat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 00:11
Reported
2022-05-21 00:21
Platform
win7-20220414-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe
"C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe'"
C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
Files
memory/1624-54-0x0000000000230000-0x000000000023C000-memory.dmp
memory/1604-55-0x0000000000000000-mapping.dmp
memory/1624-56-0x0000000075C71000-0x0000000075C73000-memory.dmp
\Users\Admin\AppData\Local\Temp\lr.tmp.exe
| MD5 | f73d2a6cc30b843a528073f9e89a9474 |
| SHA1 | 138d45ae3a1a04ca532384966495605bc46a1c84 |
| SHA256 | 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 |
| SHA512 | c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17 |
memory/268-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\lr.tmp.exe
| MD5 | f73d2a6cc30b843a528073f9e89a9474 |
| SHA1 | 138d45ae3a1a04ca532384966495605bc46a1c84 |
| SHA256 | 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 |
| SHA512 | c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17 |
C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe
| MD5 | f73d2a6cc30b843a528073f9e89a9474 |
| SHA1 | 138d45ae3a1a04ca532384966495605bc46a1c84 |
| SHA256 | 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 |
| SHA512 | c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17 |
C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe
| MD5 | f73d2a6cc30b843a528073f9e89a9474 |
| SHA1 | 138d45ae3a1a04ca532384966495605bc46a1c84 |
| SHA256 | 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 |
| SHA512 | c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17 |
memory/268-62-0x0000000000D00000-0x0000000000D0C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 00:11
Reported
2022-05-21 00:21
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe
"C:\Users\Admin\AppData\Local\Temp\91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe'"
C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 8.238.23.254:80 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
Files
memory/1708-130-0x0000000000970000-0x000000000097C000-memory.dmp
memory/1708-131-0x00000000052E0000-0x000000000537C000-memory.dmp
memory/1708-132-0x00000000053F0000-0x0000000005456000-memory.dmp
memory/1708-133-0x0000000005F90000-0x0000000006534000-memory.dmp
memory/4336-134-0x0000000000000000-mapping.dmp
memory/4208-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe
| MD5 | f73d2a6cc30b843a528073f9e89a9474 |
| SHA1 | 138d45ae3a1a04ca532384966495605bc46a1c84 |
| SHA256 | 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 |
| SHA512 | c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17 |
C:\Users\Admin\AppData\Local\Temp\lr.tmp.exe
| MD5 | f73d2a6cc30b843a528073f9e89a9474 |
| SHA1 | 138d45ae3a1a04ca532384966495605bc46a1c84 |
| SHA256 | 91963dd82de52d5f3026d723eb654ad9ecfc49622f2c97602fcd5cf05dc79ff5 |
| SHA512 | c7b7c1313c6a2aaea87469eb3bb6cdd64808cf5fc3c01ea8b6f30f01d38f16dbbd0c2663f3a7e17b27e1b4bc418564f80ed66cc7b424bbda684e6af31ee7ba17 |