Analysis Overview
SHA256
01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a
Threat Level: Known bad
The file 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Limerat family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-23 18:22
Signatures
Limerat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-23 18:22
Reported
2022-05-23 18:24
Platform
win7-20220414-en
Max time kernel
136s
Max time network
143s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe
"C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"
C:\Users\Admin\AppData\Local\Temp\Wservices.exe
"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| CN | 121.41.57.3:8989 | tcp | |
| CN | 121.41.57.3:8989 | tcp | |
| CN | 121.41.57.3:80 | tcp | |
| CN | 121.41.57.3:8989 | tcp | |
| CN | 121.41.57.3:443 | tcp |
Files
memory/1648-54-0x0000000000F20000-0x0000000000F2C000-memory.dmp
memory/564-55-0x0000000000000000-mapping.dmp
memory/1648-56-0x00000000755C1000-0x00000000755C3000-memory.dmp
memory/644-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Wservices.exe
| MD5 | 5b70d0093091a03dec58ec96331a3e60 |
| SHA1 | 65e9bbb4651d0137d252977d12391d3a3a7d9edc |
| SHA256 | 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a |
| SHA512 | 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24 |
\Users\Admin\AppData\Local\Temp\Wservices.exe
| MD5 | 5b70d0093091a03dec58ec96331a3e60 |
| SHA1 | 65e9bbb4651d0137d252977d12391d3a3a7d9edc |
| SHA256 | 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a |
| SHA512 | 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24 |
\Users\Admin\AppData\Local\Temp\Wservices.exe
| MD5 | 5b70d0093091a03dec58ec96331a3e60 |
| SHA1 | 65e9bbb4651d0137d252977d12391d3a3a7d9edc |
| SHA256 | 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a |
| SHA512 | 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24 |
C:\Users\Admin\AppData\Local\Temp\Wservices.exe
| MD5 | 5b70d0093091a03dec58ec96331a3e60 |
| SHA1 | 65e9bbb4651d0137d252977d12391d3a3a7d9edc |
| SHA256 | 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a |
| SHA512 | 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24 |
memory/644-62-0x0000000001070000-0x000000000107C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-23 18:22
Reported
2022-05-23 18:24
Platform
win10v2004-20220414-en
Max time kernel
138s
Max time network
87s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Wservices.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe
"C:\Users\Admin\AppData\Local\Temp\01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"
C:\Users\Admin\AppData\Local\Temp\Wservices.exe
"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| CN | 121.41.57.3:8989 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| CN | 121.41.57.3:80 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 104.110.191.133:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| CN | 121.41.57.3:8989 | tcp | |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.125.122.176:443 | tcp | |
| N/A | 40.126.32.138:443 | tcp | |
| N/A | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 20.190.160.17:443 | tcp | |
| CN | 121.41.57.3:80 | tcp | |
| N/A | 162.159.36.2:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 52.152.108.96:443 | tcp | |
| N/A | 20.190.160.14:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.127.240.158:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.127.240.158:443 | tcp | |
| N/A | 20.190.160.14:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.127.240.158:443 | tcp | |
| N/A | 40.127.240.158:443 | tcp | |
| N/A | 204.79.197.203:80 | tcp | |
| CN | 121.41.57.3:443 | tcp | |
| N/A | 162.159.36.2:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.125.122.176:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| CN | 121.41.57.3:80 | tcp |
Files
memory/1868-130-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/1868-131-0x0000000004C20000-0x0000000004CBC000-memory.dmp
memory/1868-132-0x0000000004CC0000-0x0000000004D26000-memory.dmp
memory/1868-133-0x00000000058E0000-0x0000000005E84000-memory.dmp
memory/1936-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Wservices.exe
| MD5 | 5b70d0093091a03dec58ec96331a3e60 |
| SHA1 | 65e9bbb4651d0137d252977d12391d3a3a7d9edc |
| SHA256 | 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a |
| SHA512 | 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24 |
C:\Users\Admin\AppData\Local\Temp\Wservices.exe
| MD5 | 5b70d0093091a03dec58ec96331a3e60 |
| SHA1 | 65e9bbb4651d0137d252977d12391d3a3a7d9edc |
| SHA256 | 01b5f44cdf8085044c0f6b42f7cc1159d813e599deb76ed6e02c78c1833b717a |
| SHA512 | 4d9a87b97e57621df3337b5d1b214e30f794545dcb47ff887b7fabf7186cf395ad64c3b061ce7e7ee0d399f3358b3cb172ca23f63f4c4c09b6ee52ed406e1e24 |
memory/3472-135-0x0000000000000000-mapping.dmp
memory/3472-138-0x0000000006820000-0x00000000068B2000-memory.dmp