Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 16:38

General

  • Target

    bf4cd2f5d664e2a8d60f411dce8359b6.exe

  • Size

    190KB

  • MD5

    bf4cd2f5d664e2a8d60f411dce8359b6

  • SHA1

    1f6dce3eaef268dc95e1c61bcda025a5f46bc5ef

  • SHA256

    57638abb65ee04cbd560abcddb83414f992551282310ed4659c74b0687027092

  • SHA512

    437bf91698dbd44fde048bcf0ea8c91c56eea0693e45a79c8079c6e5ecdc61c82ac28190dd767e87e5e047877a345ed1fc3db7a09ca45a03805877bda1396890

Malware Config

Extracted

Family

limerat

Wallets

bc1quxey9qaznc2p3yjkerld76m3ktpewnh7m5ahpt

Attributes
  • aes_key

    103010

  • antivm

    true

  • c2_url

    https://agleamoda.000webhostapp.com/link.html

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf4cd2f5d664e2a8d60f411dce8359b6.exe
    "C:\Users\Admin\AppData\Local\Temp\bf4cd2f5d664e2a8d60f411dce8359b6.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 772
          4⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
      • C:\Users\Admin\AppData\Local\Temp\system.exe
        C:\Users\Admin\AppData\Local\Temp\system.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exe
    Filesize

    150KB

    MD5

    c6f1126376dfd5d16c1641d07234c970

    SHA1

    6f6e58134df09013d8068acec596ca7c36a86c8a

    SHA256

    a2f8edbdaac7b9bd39841e74b871486352a1c050b41fad8fb65475dd83464a2a

    SHA512

    71c222d26b08cb37b1ca9f024ead66bdf71e2c21bf1647b9fde83792896f7e4089d092728331c6566cde8b14dcd7ceab8b7c7f714233530cdfbf8b1296d7cf9c

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exe
    Filesize

    150KB

    MD5

    c6f1126376dfd5d16c1641d07234c970

    SHA1

    6f6e58134df09013d8068acec596ca7c36a86c8a

    SHA256

    a2f8edbdaac7b9bd39841e74b871486352a1c050b41fad8fb65475dd83464a2a

    SHA512

    71c222d26b08cb37b1ca9f024ead66bdf71e2c21bf1647b9fde83792896f7e4089d092728331c6566cde8b14dcd7ceab8b7c7f714233530cdfbf8b1296d7cf9c

  • C:\Users\Admin\AppData\Local\Temp\system.exe
    Filesize

    30KB

    MD5

    81bd7febd0342d8d8070c4906a560f19

    SHA1

    24e82a05b8dd6e7a5283c28c767b816d8940b4bf

    SHA256

    f96683d8cd888d9e1dd0808454ce9bb0198bde761396b40eb58d8a17b41048d1

    SHA512

    93cd1725f1738d1b1632c5f65fc6d8a17f5d25c14524db34cfe0c731947690bf9ca256d262e43275cf65a5400a5266a981796568fde76705c39996005f6af294

  • C:\Users\Admin\AppData\Local\Temp\system.exe
    Filesize

    30KB

    MD5

    81bd7febd0342d8d8070c4906a560f19

    SHA1

    24e82a05b8dd6e7a5283c28c767b816d8940b4bf

    SHA256

    f96683d8cd888d9e1dd0808454ce9bb0198bde761396b40eb58d8a17b41048d1

    SHA512

    93cd1725f1738d1b1632c5f65fc6d8a17f5d25c14524db34cfe0c731947690bf9ca256d262e43275cf65a5400a5266a981796568fde76705c39996005f6af294

  • memory/1752-136-0x0000000000000000-mapping.dmp
  • memory/3476-130-0x0000000000000000-mapping.dmp
  • memory/3476-133-0x0000000073A10000-0x0000000073FC1000-memory.dmp
    Filesize

    5.7MB

  • memory/4424-145-0x0000000006540000-0x00000000065D2000-memory.dmp
    Filesize

    584KB

  • memory/4424-143-0x0000000005150000-0x00000000051B6000-memory.dmp
    Filesize

    408KB

  • memory/4424-137-0x0000000000000000-mapping.dmp
  • memory/4424-140-0x0000000000770000-0x000000000077E000-memory.dmp
    Filesize

    56KB

  • memory/4424-141-0x0000000005040000-0x00000000050DC000-memory.dmp
    Filesize

    624KB

  • memory/4424-144-0x0000000005DF0000-0x0000000006394000-memory.dmp
    Filesize

    5.6MB

  • memory/4972-134-0x0000000000000000-mapping.dmp
  • memory/4972-142-0x0000000073A10000-0x0000000073FC1000-memory.dmp
    Filesize

    5.7MB

  • memory/4972-135-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB