Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-05-2022 19:57
Static task
static1
Behavioral task
behavioral1
Sample
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe
Resource
win7-20220414-en
General
-
Target
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe
-
Size
1.4MB
-
MD5
e936a9268db132fc3b8ed65344ebf65b
-
SHA1
d08422c2de8389397020ef04941a30ec5d6d4afa
-
SHA256
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
-
SHA512
fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa
Malware Config
Extracted
limerat
-
aes_key
1205
-
antivm
false
-
c2_url
https://pastebin.com/raw/iRjhpqQL
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 320 svhost.exe -
Drops startup file 1 IoCs
Processes:
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erttry.exe.lnk 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe -
Loads dropped DLL 1 IoCs
Processes:
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exepid process 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exedescription pid process target process PID 960 set thread context of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2040 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exepid process 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exesvhost.exedescription pid process Token: SeDebugPrivilege 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe Token: 33 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe Token: SeIncBasePriorityPrivilege 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe Token: SeDebugPrivilege 320 svhost.exe Token: SeDebugPrivilege 320 svhost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.execmd.exedescription pid process target process PID 960 wrote to memory of 1952 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1952 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1952 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1952 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1732 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1732 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1732 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1732 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1156 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1156 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1156 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 1156 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 320 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe svhost.exe PID 960 wrote to memory of 432 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 432 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 432 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 960 wrote to memory of 432 960 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe cmd.exe PID 432 wrote to memory of 2040 432 cmd.exe timeout.exe PID 432 wrote to memory of 2040 432 cmd.exe timeout.exe PID 432 wrote to memory of 2040 432 cmd.exe timeout.exe PID 432 wrote to memory of 2040 432 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe" "%appdata%\ertyrtr\erttry.exe" /Y2⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\ertyrtr\erttry.exe:Zone.Identifier2⤵
- NTFS ADS
PID:1732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "%appdata%\ertyrtr\erttry.exe.jpg" erttry.exe2⤵PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:2040
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
1.4MB
MD5e936a9268db132fc3b8ed65344ebf65b
SHA1d08422c2de8389397020ef04941a30ec5d6d4afa
SHA25604cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
SHA512fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa
-
Filesize
203B
MD589fd02ba358befbfc6a5974bf4e73d37
SHA1b337542e6424054be1f4497fafed0123a1883483
SHA25628bc0f5cf086b8646094fe7b81276f1dd13e9cf6a474dc6737261faaf2430278
SHA512d8524477ff1b831a5b1c8599094b6e74270af44a6aac64c91d5a6d07fce85580b41c9a33097fe19a7d01b067b0cabee2efb6fc1f3e6e2d85da3493dabacf1f21
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3