Analysis Overview
SHA256
0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6
Threat Level: Known bad
The file 0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
UPX packed file
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-29 21:36
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-29 21:36
Reported
2022-05-29 21:57
Platform
win7-20220414-en
Max time kernel
147s
Max time network
164s
Command Line
Signatures
LimeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 624 set thread context of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6.exe
"C:\Users\Admin\AppData\Local\Temp\0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
Files
memory/624-54-0x00000000769D1000-0x00000000769D3000-memory.dmp
memory/624-55-0x0000000001100000-0x0000000001226000-memory.dmp
memory/624-56-0x00000000009E0000-0x00000000009E8000-memory.dmp
memory/1724-57-0x0000000000090000-0x000000000009C000-memory.dmp
memory/1724-59-0x0000000000090000-0x000000000009C000-memory.dmp
memory/1724-63-0x0000000000098BDE-mapping.dmp
memory/1724-64-0x0000000000090000-0x000000000009C000-memory.dmp
memory/1724-65-0x0000000000090000-0x000000000009C000-memory.dmp
memory/624-66-0x0000000001100000-0x0000000001226000-memory.dmp
memory/1724-68-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/1724-69-0x00000000735A0000-0x0000000074098000-memory.dmp
memory/1724-70-0x0000000072E00000-0x000000007359C000-memory.dmp
memory/1724-71-0x0000000074770000-0x000000007490B000-memory.dmp
memory/1724-72-0x0000000074660000-0x0000000074764000-memory.dmp
memory/1724-73-0x0000000074330000-0x00000000744B8000-memory.dmp
memory/1724-74-0x0000000072220000-0x0000000072DFE000-memory.dmp
memory/1724-75-0x0000000072120000-0x0000000072211000-memory.dmp
memory/1724-76-0x0000000071BE0000-0x0000000072116000-memory.dmp
memory/1724-77-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/1724-78-0x00000000735A0000-0x0000000074098000-memory.dmp
memory/1724-79-0x0000000072E00000-0x000000007359C000-memory.dmp
memory/1724-80-0x0000000074770000-0x000000007490B000-memory.dmp
memory/1724-81-0x0000000074660000-0x0000000074764000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-29 21:36
Reported
2022-05-29 21:57
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
166s
Command Line
Signatures
LimeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3184 set thread context of 3468 | N/A | C:\Users\Admin\AppData\Local\Temp\0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6.exe
"C:\Users\Admin\AppData\Local\Temp\0d286ef4e3e5c8462a89727efe309b3fead46486590ab5d39f09a457060e38c6.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.88:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 87.248.202.1:80 | tcp |
Files
memory/3184-130-0x0000000000C60000-0x0000000000D86000-memory.dmp
memory/3184-131-0x0000000004440000-0x0000000004448000-memory.dmp
memory/3468-132-0x0000000000000000-mapping.dmp
memory/3468-133-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3184-137-0x0000000000C60000-0x0000000000D86000-memory.dmp
memory/3468-138-0x00000000751E0000-0x0000000075791000-memory.dmp
memory/3468-139-0x0000000073750000-0x0000000074250000-memory.dmp
memory/3468-140-0x0000000072FA0000-0x0000000073748000-memory.dmp
memory/3468-141-0x00000000751E0000-0x0000000075791000-memory.dmp
memory/3468-142-0x0000000073750000-0x0000000074250000-memory.dmp