Analysis Overview
SHA256
04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
Threat Level: Known bad
The file 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
NTFS ADS
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-27 19:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-27 19:57
Reported
2022-05-27 21:03
Platform
win7-20220414-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erttry.exe.lnk | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 960 set thread context of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe
"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe" "%appdata%\ertyrtr\erttry.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\ertyrtr\erttry.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\ertyrtr\erttry.exe.jpg" erttry.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp |
Files
memory/960-54-0x0000000000ED0000-0x000000000100C000-memory.dmp
memory/960-55-0x0000000000210000-0x0000000000224000-memory.dmp
memory/960-56-0x0000000076571000-0x0000000076573000-memory.dmp
memory/1952-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe
| MD5 | e936a9268db132fc3b8ed65344ebf65b |
| SHA1 | d08422c2de8389397020ef04941a30ec5d6d4afa |
| SHA256 | 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5 |
| SHA512 | fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa |
memory/960-59-0x0000000072960000-0x0000000073CEF000-memory.dmp
memory/1732-60-0x0000000000000000-mapping.dmp
memory/1156-61-0x0000000000000000-mapping.dmp
memory/960-62-0x0000000071F50000-0x0000000072960000-memory.dmp
memory/960-63-0x0000000074560000-0x00000000746F4000-memory.dmp
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/320-65-0x0000000000400000-0x000000000040C000-memory.dmp
memory/320-66-0x0000000000400000-0x000000000040C000-memory.dmp
memory/320-68-0x0000000000400000-0x000000000040C000-memory.dmp
memory/320-73-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/320-69-0x0000000000400000-0x000000000040C000-memory.dmp
memory/320-70-0x00000000004080CE-mapping.dmp
memory/320-75-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/960-77-0x0000000071230000-0x0000000071F4D000-memory.dmp
memory/432-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat
| MD5 | 89fd02ba358befbfc6a5974bf4e73d37 |
| SHA1 | b337542e6424054be1f4497fafed0123a1883483 |
| SHA256 | 28bc0f5cf086b8646094fe7b81276f1dd13e9cf6a474dc6737261faaf2430278 |
| SHA512 | d8524477ff1b831a5b1c8599094b6e74270af44a6aac64c91d5a6d07fce85580b41c9a33097fe19a7d01b067b0cabee2efb6fc1f3e6e2d85da3493dabacf1f21 |
memory/2040-80-0x0000000000000000-mapping.dmp
memory/960-81-0x0000000070A50000-0x0000000071230000-memory.dmp
memory/960-82-0x0000000074380000-0x0000000074551000-memory.dmp
memory/320-83-0x0000000071F50000-0x0000000072960000-memory.dmp
memory/320-84-0x0000000070A50000-0x0000000071230000-memory.dmp
memory/320-85-0x0000000074380000-0x0000000074551000-memory.dmp
memory/320-86-0x0000000072960000-0x0000000073CEF000-memory.dmp
memory/320-87-0x0000000070880000-0x00000000709A3000-memory.dmp
memory/960-88-0x0000000072960000-0x0000000073CEF000-memory.dmp
memory/960-90-0x0000000071F50000-0x0000000072960000-memory.dmp
memory/320-89-0x0000000074560000-0x00000000746F4000-memory.dmp
memory/960-91-0x0000000074380000-0x0000000074551000-memory.dmp
memory/320-92-0x0000000071230000-0x0000000071F4D000-memory.dmp
memory/960-93-0x0000000071230000-0x0000000071F4D000-memory.dmp
memory/320-95-0x0000000074240000-0x000000007433C000-memory.dmp
memory/320-96-0x000000006FFA0000-0x00000000706DE000-memory.dmp
memory/320-97-0x0000000071F50000-0x0000000072960000-memory.dmp
memory/320-98-0x0000000074380000-0x0000000074551000-memory.dmp
memory/320-99-0x0000000072960000-0x0000000073CEF000-memory.dmp
memory/320-100-0x0000000070880000-0x00000000709A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-27 19:57
Reported
2022-05-27 21:04
Platform
win10v2004-20220414-en
Max time kernel
183s
Max time network
190s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erttry.exe.lnk | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4712 set thread context of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe
"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe" "%appdata%\ertyrtr\erttry.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\ertyrtr\erttry.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\ertyrtr\erttry.exe.jpg" erttry.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.14:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp |
Files
memory/4712-130-0x0000000000780000-0x00000000008BC000-memory.dmp
memory/4712-131-0x00000000059F0000-0x0000000005F94000-memory.dmp
memory/4712-132-0x0000000005300000-0x0000000005392000-memory.dmp
memory/4712-133-0x0000000005440000-0x00000000054DC000-memory.dmp
memory/4220-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe
| MD5 | e936a9268db132fc3b8ed65344ebf65b |
| SHA1 | d08422c2de8389397020ef04941a30ec5d6d4afa |
| SHA256 | 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5 |
| SHA512 | fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa |
memory/3532-136-0x0000000000000000-mapping.dmp
memory/2688-137-0x0000000000000000-mapping.dmp
memory/4152-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/4152-142-0x0000000000370000-0x000000000037C000-memory.dmp
memory/5076-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat
| MD5 | 89fd02ba358befbfc6a5974bf4e73d37 |
| SHA1 | b337542e6424054be1f4497fafed0123a1883483 |
| SHA256 | 28bc0f5cf086b8646094fe7b81276f1dd13e9cf6a474dc6737261faaf2430278 |
| SHA512 | d8524477ff1b831a5b1c8599094b6e74270af44a6aac64c91d5a6d07fce85580b41c9a33097fe19a7d01b067b0cabee2efb6fc1f3e6e2d85da3493dabacf1f21 |
memory/5072-145-0x0000000000000000-mapping.dmp
memory/4152-146-0x0000000004C10000-0x0000000004C76000-memory.dmp