Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe
Resource
win7-20220414-en
General
-
Target
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe
-
Size
125KB
-
MD5
cdcb8d03e87665854688fc9988bf4345
-
SHA1
d749dfbf1418a8628382f9a808854eb1b36c83d0
-
SHA256
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
-
SHA512
6a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
Malware Config
Extracted
limerat
-
aes_key
pogiako123
-
antivm
true
-
c2_url
https://pastebin.com/raw/NvPAsz1f
-
delay
3
-
download_payload
false
-
install
true
-
install_name
licenseemu.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\ tofu\
-
usb_spread
true
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
licenseemu.exelicenseemu.exelicenseemu.exelicenseemu.exepid process 840 licenseemu.exe 1740 licenseemu.exe 368 licenseemu.exe 1108 licenseemu.exe -
Loads dropped DLL 1 IoCs
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exepid process 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exelicenseemu.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum licenseemu.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 licenseemu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exelicenseemu.exedescription pid process target process PID 1448 set thread context of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 840 set thread context of 1108 840 licenseemu.exe licenseemu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
licenseemu.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 licenseemu.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 licenseemu.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
licenseemu.exepid process 840 licenseemu.exe 840 licenseemu.exe 840 licenseemu.exe 840 licenseemu.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
licenseemu.exelicenseemu.exedescription pid process Token: SeDebugPrivilege 840 licenseemu.exe Token: SeDebugPrivilege 1108 licenseemu.exe Token: SeDebugPrivilege 1108 licenseemu.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exelicenseemu.exedescription pid process target process PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1448 wrote to memory of 1044 1448 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 1044 wrote to memory of 848 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 1044 wrote to memory of 848 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 1044 wrote to memory of 848 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 1044 wrote to memory of 848 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 1044 wrote to memory of 840 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 1044 wrote to memory of 840 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 1044 wrote to memory of 840 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 1044 wrote to memory of 840 1044 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 840 wrote to memory of 1740 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1740 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1740 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1740 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 368 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 368 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 368 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 368 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe PID 840 wrote to memory of 1108 840 licenseemu.exe licenseemu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe'"3⤵
- Creates scheduled task(s)
PID:848
-
-
C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"4⤵
- Executes dropped EXE
PID:1740
-
-
C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"4⤵
- Executes dropped EXE
PID:368
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619