Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:33
Static task
static1
Behavioral task
behavioral1
Sample
DOC29309.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC29309.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
DOC30039.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
DOC30039.exe
Resource
win10v2004-20220414-en
General
-
Target
DOC30039.exe
-
Size
295KB
-
MD5
60c0778625ff004c0189cb7af4634e69
-
SHA1
383d1e456c253dd108bd70d75e225d6e8d72d4ed
-
SHA256
a1a937a1fc9c9b0cafc877fae326d61f3ee3d0574f04da24fa490caff6a6b7cf
-
SHA512
39b5b9762116c62ce800a175459472c3fe55e33b21673643a4e1d1623e46e55d19d94a738ed9dc558939e6af9ce0569dce921bd6e17b5e5c1d760d1cba1ed0e8
Malware Config
Extracted
limerat
1LYXfE3ZfhsvvuTfAC7kasRQD4EnwgoeJx
-
aes_key
0000000000000000
-
antivm
true
-
c2_url
https://pastebin.com/raw/84gGtTLk
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DOC30039.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "\"C:\\Users\\Admin\\windows.exe.exe\"" DOC30039.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOC30039.exedescription pid process target process PID 1412 set thread context of 2004 1412 DOC30039.exe RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
DOC30039.exepid process 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe 1412 DOC30039.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DOC30039.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1412 DOC30039.exe Token: SeDebugPrivilege 2004 RegAsm.exe Token: SeDebugPrivilege 2004 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DOC30039.exedescription pid process target process PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe PID 1412 wrote to memory of 2004 1412 DOC30039.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC30039.exe"C:\Users\Admin\AppData\Local\Temp\DOC30039.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1412-54-0x0000000000BD0000-0x0000000000C20000-memory.dmpFilesize
320KB
-
memory/1412-55-0x00000000752A1000-0x00000000752A3000-memory.dmpFilesize
8KB
-
memory/1412-56-0x0000000000360000-0x0000000000368000-memory.dmpFilesize
32KB
-
memory/1412-57-0x0000000000390000-0x00000000003B6000-memory.dmpFilesize
152KB
-
memory/1412-58-0x00000000003C0000-0x00000000003D6000-memory.dmpFilesize
88KB
-
memory/1412-59-0x0000000000700000-0x0000000000716000-memory.dmpFilesize
88KB
-
memory/1412-60-0x0000000000740000-0x0000000000752000-memory.dmpFilesize
72KB
-
memory/2004-61-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2004-62-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2004-64-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2004-65-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2004-66-0x0000000000408D2E-mapping.dmp
-
memory/2004-68-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2004-70-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB