Malware Analysis Report

2024-11-16 13:10

Sample ID 220523-wz2aysdhfl
Target 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a

Threat Level: Known bad

The file 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Limerat family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 18:22

Signatures

Limerat family

limerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 18:22

Reported

2022-05-23 18:24

Platform

win7-20220414-en

Max time kernel

136s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1648 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1648 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe
PID 1648 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe

"C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
CN 121.41.57.3:8989 tcp
CN 121.41.57.3:8989 tcp
CN 121.41.57.3:80 tcp
CN 121.41.57.3:8989 tcp
CN 121.41.57.3:443 tcp

Files

memory/1648-54-0x0000000000F20000-0x0000000000F2C000-memory.dmp

memory/564-55-0x0000000000000000-mapping.dmp

memory/1648-56-0x00000000755C1000-0x00000000755C3000-memory.dmp

memory/644-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 5b70d0093091a03dec58ec96331a3e60
SHA1 65e9bbb4651d0137d252977d12391d3a3a7d9edc
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA512 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24

\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 5b70d0093091a03dec58ec96331a3e60
SHA1 65e9bbb4651d0137d252977d12391d3a3a7d9edc
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA512 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24

\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 5b70d0093091a03dec58ec96331a3e60
SHA1 65e9bbb4651d0137d252977d12391d3a3a7d9edc
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA512 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 5b70d0093091a03dec58ec96331a3e60
SHA1 65e9bbb4651d0137d252977d12391d3a3a7d9edc
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA512 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24

memory/644-62-0x0000000001070000-0x000000000107C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 18:22

Reported

2022-05-23 18:24

Platform

win10v2004-20220414-en

Max time kernel

138s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Wservices.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe

"C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"

Network

Country Destination Domain Proto
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
CN 121.41.57.3:8989 tcp
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
CN 121.41.57.3:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
NL 104.110.191.133:80 tcp
US 52.168.117.170:443 tcp
CN 121.41.57.3:8989 tcp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 udp
N/A 40.125.122.176:443 tcp
N/A 40.126.32.138:443 tcp
N/A 40.125.122.176:443 tcp
US 8.8.8.8:53 udp
NL 20.190.160.17:443 tcp
CN 121.41.57.3:80 tcp
N/A 162.159.36.2:53 udp
US 8.8.8.8:53 udp
US 52.152.108.96:443 tcp
N/A 20.190.160.14:443 tcp
US 8.8.8.8:53 udp
N/A 40.127.240.158:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 40.127.240.158:443 tcp
N/A 20.190.160.14:443 tcp
US 8.8.8.8:53 udp
N/A 40.127.240.158:443 tcp
N/A 40.127.240.158:443 tcp
N/A 204.79.197.203:80 tcp
CN 121.41.57.3:443 tcp
N/A 162.159.36.2:53 udp
US 8.8.8.8:53 udp
N/A 40.125.122.176:443 tcp
US 93.184.221.240:80 tcp
CN 121.41.57.3:80 tcp

Files

memory/1868-130-0x00000000002D0000-0x00000000002DC000-memory.dmp

memory/1868-131-0x0000000004C20000-0x0000000004CBC000-memory.dmp

memory/1868-132-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/1868-133-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/1936-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 5b70d0093091a03dec58ec96331a3e60
SHA1 65e9bbb4651d0137d252977d12391d3a3a7d9edc
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA512 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24

C:\Users\Admin\AppData\Local\Temp\Wservices.exe

MD5 5b70d0093091a03dec58ec96331a3e60
SHA1 65e9bbb4651d0137d252977d12391d3a3a7d9edc
SHA256 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
SHA512 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24

memory/3472-135-0x0000000000000000-mapping.dmp

memory/3472-138-0x0000000006820000-0x00000000068B2000-memory.dmp