Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe
Resource
win7-20220414-en
General
-
Target
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe
-
Size
125KB
-
MD5
cdcb8d03e87665854688fc9988bf4345
-
SHA1
d749dfbf1418a8628382f9a808854eb1b36c83d0
-
SHA256
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
-
SHA512
6a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
Malware Config
Extracted
limerat
-
aes_key
pogiako123
-
antivm
true
-
c2_url
https://pastebin.com/raw/NvPAsz1f
-
delay
3
-
download_payload
false
-
install
true
-
install_name
licenseemu.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\ tofu\
-
usb_spread
true
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
licenseemu.exelicenseemu.exepid process 2516 licenseemu.exe 3220 licenseemu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
licenseemu.exe0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum licenseemu.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 licenseemu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exelicenseemu.exedescription pid process target process PID 3764 set thread context of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 2516 set thread context of 3220 2516 licenseemu.exe licenseemu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
licenseemu.exedescription pid process Token: SeDebugPrivilege 3220 licenseemu.exe Token: SeDebugPrivilege 3220 licenseemu.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exelicenseemu.exedescription pid process target process PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 3764 wrote to memory of 2024 3764 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe PID 2024 wrote to memory of 836 2024 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 2024 wrote to memory of 836 2024 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 2024 wrote to memory of 836 2024 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe schtasks.exe PID 2024 wrote to memory of 2516 2024 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 2024 wrote to memory of 2516 2024 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 2024 wrote to memory of 2516 2024 0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe PID 2516 wrote to memory of 3220 2516 licenseemu.exe licenseemu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"C:\Users\Admin\AppData\Local\Temp\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe'"3⤵
- Creates scheduled task(s)
PID:836
-
-
C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"C:\Users\Admin\AppData\Roaming\ tofu\licenseemu.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e.exe.log
Filesize617B
MD547504b42411e2c23666d08795adae488
SHA192ba780125e2fcedc6223478504aa501adf95c06
SHA2564b2747d4a45ae359c415f11d2a2d9e09e6a036aad39b40e284850603b64bbc98
SHA512a2d33cb21ec121b9f857c81df3992da216859f5df69cc8da9edbd91eeb21f45b7ac79459d0c6bc08f09bc33684dfff62a20feddd13d5367ad717095ac85fe9c1
-
Filesize
617B
MD547504b42411e2c23666d08795adae488
SHA192ba780125e2fcedc6223478504aa501adf95c06
SHA2564b2747d4a45ae359c415f11d2a2d9e09e6a036aad39b40e284850603b64bbc98
SHA512a2d33cb21ec121b9f857c81df3992da216859f5df69cc8da9edbd91eeb21f45b7ac79459d0c6bc08f09bc33684dfff62a20feddd13d5367ad717095ac85fe9c1
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619
-
Filesize
125KB
MD5cdcb8d03e87665854688fc9988bf4345
SHA1d749dfbf1418a8628382f9a808854eb1b36c83d0
SHA2560c0f27f2c4435b5bcf675c56d2d716c6364435d5f2415db8e291326c14da2f9e
SHA5126a60dbe438c55bfa99c5b4c7f9ed484d6fbc55f325551d0547355f8bb500df6025c8b4e32187f1f321fa13cce4685167f037763c9a93f92f498ddbe91b916619