Analysis
-
max time kernel
170s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-05-2022 23:50
Static task
static1
Behavioral task
behavioral1
Sample
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe
-
Size
565KB
-
MD5
aae45fe858ee508a8787bff9f58cb847
-
SHA1
943994afdd05db0aef81cb466bb239db37e009d5
-
SHA256
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4
-
SHA512
b31ed56820062c91351014ffbffb676f9f93026d094e5e96ec7546a458bf9ef0f87f7d6d572613065b594a8dd2d75c1d44a2d4be808b08de6071c2048438e02d
Malware Config
Extracted
Family
limerat
Wallets
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
Attributes
-
aes_key
arglobal
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exedescription pid process target process PID 1720 set thread context of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exepid process 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe Token: SeDebugPrivilege 4860 RegAsm.exe Token: SeDebugPrivilege 4860 RegAsm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exedescription pid process target process PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe PID 1720 wrote to memory of 4860 1720 03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe"C:\Users\Admin\AppData\Local\Temp\03a3bd2bd48400c35d8b458d9045cd113bbda03d9bd1a41fecae8177ee71aaf4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-