Analysis

  • max time kernel
    183s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-05-2022 19:57

General

  • Target

    04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe

  • Size

    1.4MB

  • MD5

    e936a9268db132fc3b8ed65344ebf65b

  • SHA1

    d08422c2de8389397020ef04941a30ec5d6d4afa

  • SHA256

    04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5

  • SHA512

    fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    1205

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/iRjhpqQL

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe
    "C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe" "%appdata%\ertyrtr\erttry.exe" /Y
      2⤵
        PID:4220
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\ertyrtr\erttry.exe:Zone.Identifier
        2⤵
        • NTFS ADS
        PID:3532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ren "%appdata%\ertyrtr\erttry.exe.jpg" erttry.exe
        2⤵
          PID:2688
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4152
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 300
            3⤵
            • Delays execution with timeout.exe
            PID:5072

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe

        Filesize

        256KB

        MD5

        8fdf47e0ff70c40ed3a17014aeea4232

        SHA1

        e6256a0159688f0560b015da4d967f41cbf8c9bd

        SHA256

        ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

        SHA512

        bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe

        Filesize

        256KB

        MD5

        8fdf47e0ff70c40ed3a17014aeea4232

        SHA1

        e6256a0159688f0560b015da4d967f41cbf8c9bd

        SHA256

        ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

        SHA512

        bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

      • C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe

        Filesize

        1.4MB

        MD5

        e936a9268db132fc3b8ed65344ebf65b

        SHA1

        d08422c2de8389397020ef04941a30ec5d6d4afa

        SHA256

        04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5

        SHA512

        fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa

      • C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat

        Filesize

        203B

        MD5

        89fd02ba358befbfc6a5974bf4e73d37

        SHA1

        b337542e6424054be1f4497fafed0123a1883483

        SHA256

        28bc0f5cf086b8646094fe7b81276f1dd13e9cf6a474dc6737261faaf2430278

        SHA512

        d8524477ff1b831a5b1c8599094b6e74270af44a6aac64c91d5a6d07fce85580b41c9a33097fe19a7d01b067b0cabee2efb6fc1f3e6e2d85da3493dabacf1f21

      • memory/2688-137-0x0000000000000000-mapping.dmp

      • memory/3532-136-0x0000000000000000-mapping.dmp

      • memory/4152-146-0x0000000004C10000-0x0000000004C76000-memory.dmp

        Filesize

        408KB

      • memory/4152-142-0x0000000000370000-0x000000000037C000-memory.dmp

        Filesize

        48KB

      • memory/4152-138-0x0000000000000000-mapping.dmp

      • memory/4220-134-0x0000000000000000-mapping.dmp

      • memory/4712-130-0x0000000000780000-0x00000000008BC000-memory.dmp

        Filesize

        1.2MB

      • memory/4712-133-0x0000000005440000-0x00000000054DC000-memory.dmp

        Filesize

        624KB

      • memory/4712-132-0x0000000005300000-0x0000000005392000-memory.dmp

        Filesize

        584KB

      • memory/4712-131-0x00000000059F0000-0x0000000005F94000-memory.dmp

        Filesize

        5.6MB

      • memory/5072-145-0x0000000000000000-mapping.dmp

      • memory/5076-143-0x0000000000000000-mapping.dmp