Analysis Overview
SHA256
067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c
Threat Level: Known bad
The file 067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-31 05:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-31 05:52
Reported
2022-05-31 07:57
Platform
win7-20220414-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe
"C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c echo.
C:\Windows\system32\cmd.exe
cmd.exe /c exec.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe
"C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| FR | 141.255.158.51:1177 | tcp | |
| FR | 141.255.158.51:1177 | tcp | |
| FR | 141.255.158.51:1177 | tcp | |
| FR | 141.255.158.51:1177 | tcp | |
| FR | 141.255.158.51:1177 | tcp |
Files
memory/1932-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp
memory/1144-55-0x0000000000000000-mapping.dmp
memory/2040-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat
| MD5 | 368e0f2c003376d3bdae1c71dd85ec70 |
| SHA1 | e5fa7b58cad7f5df6e3a7c2abeec16365ae17827 |
| SHA256 | 84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9 |
| SHA512 | e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553 |
memory/1996-58-0x0000000000000000-mapping.dmp
memory/1996-60-0x000007FEF3230000-0x000007FEF3C53000-memory.dmp
memory/1996-61-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1
| MD5 | 8d4fc7d9b7f9ae031db6ac350af49861 |
| SHA1 | a57c563cc8406ef2ea4a8ad94972f039f053026e |
| SHA256 | 3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796 |
| SHA512 | 900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87 |
memory/1996-63-0x000007FEF3C60000-0x000007FEF4B3C000-memory.dmp
memory/1996-64-0x000007FEF3230000-0x000007FEF3C53000-memory.dmp
memory/1996-66-0x00000000027F4000-0x00000000027F7000-memory.dmp
memory/1996-65-0x000007FEF6350000-0x000007FEF6402000-memory.dmp
memory/1996-67-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp
memory/1996-68-0x000007FEF62E0000-0x000007FEF6349000-memory.dmp
memory/1996-69-0x000007FEFA840000-0x000007FEFA872000-memory.dmp
memory/1996-70-0x000007FEF6110000-0x000007FEF61BA000-memory.dmp
memory/1996-71-0x000007FEF6020000-0x000007FEF6105000-memory.dmp
memory/1996-73-0x000007FEF5930000-0x000007FEF5B46000-memory.dmp
memory/904-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe
| MD5 | b799e179c6512cdea8fc1b60f3ea68e7 |
| SHA1 | fd011070db46a5ba428d467b7a1596c186ea7b69 |
| SHA256 | 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e |
| SHA512 | a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33 |
memory/1996-75-0x000007FEF5F00000-0x000007FEF6018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe
| MD5 | b799e179c6512cdea8fc1b60f3ea68e7 |
| SHA1 | fd011070db46a5ba428d467b7a1596c186ea7b69 |
| SHA256 | 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e |
| SHA512 | a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33 |
memory/1996-76-0x000007FEF5B50000-0x000007FEF5E7E000-memory.dmp
memory/1996-79-0x000007FEF3230000-0x000007FEF3C53000-memory.dmp
memory/1996-78-0x000007FEF62A0000-0x000007FEF62DE000-memory.dmp
memory/1996-80-0x000007FEF6350000-0x000007FEF6402000-memory.dmp
memory/1996-81-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp
memory/904-82-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/1996-83-0x000007FEF5930000-0x000007FEF5B46000-memory.dmp
memory/1996-84-0x000007FEF5630000-0x000007FEF579C000-memory.dmp
memory/1996-85-0x000007FEF1E80000-0x000007FEF2015000-memory.dmp
memory/1996-86-0x000007FEF2020000-0x000007FEF26C5000-memory.dmp
memory/1996-87-0x00000000027FB000-0x000000000281A000-memory.dmp
memory/1996-88-0x000007FEEE7B0000-0x000007FEEEFFB000-memory.dmp
memory/1996-89-0x000007FEF3C60000-0x000007FEF4B3C000-memory.dmp
memory/904-90-0x0000000073D10000-0x00000000742BB000-memory.dmp
memory/904-91-0x0000000072820000-0x0000000073318000-memory.dmp
memory/904-92-0x0000000072080000-0x000000007281C000-memory.dmp
memory/904-93-0x00000000739E0000-0x0000000073B7B000-memory.dmp
memory/904-94-0x0000000074640000-0x0000000074744000-memory.dmp
memory/904-95-0x0000000073850000-0x00000000739D8000-memory.dmp
memory/904-96-0x00000000714A0000-0x000000007207E000-memory.dmp
memory/904-97-0x0000000073750000-0x0000000073841000-memory.dmp
memory/904-98-0x0000000070F60000-0x0000000071496000-memory.dmp
memory/904-99-0x0000000073D10000-0x00000000742BB000-memory.dmp
memory/904-100-0x0000000072820000-0x0000000073318000-memory.dmp
memory/904-101-0x0000000072080000-0x000000007281C000-memory.dmp
memory/904-102-0x00000000739E0000-0x0000000073B7B000-memory.dmp
memory/904-103-0x0000000074640000-0x0000000074744000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-31 05:52
Reported
2022-05-31 07:57
Platform
win10v2004-20220414-en
Max time kernel
138s
Max time network
157s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe
"C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c echo.
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c exec.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe
"C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| FR | 141.255.158.51:1177 | tcp | |
| NL | 88.221.144.192:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| NL | 13.69.109.131:443 | tcp | |
| FR | 141.255.158.51:1177 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| US | 8.251.167.126:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| FR | 141.255.158.51:1177 | tcp | |
| FR | 141.255.158.51:1177 | tcp | |
| FR | 141.255.158.51:1177 | tcp |
Files
memory/3180-131-0x0000000000000000-mapping.dmp
memory/2168-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat
| MD5 | 368e0f2c003376d3bdae1c71dd85ec70 |
| SHA1 | e5fa7b58cad7f5df6e3a7c2abeec16365ae17827 |
| SHA256 | 84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9 |
| SHA512 | e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553 |
memory/3044-134-0x0000000000000000-mapping.dmp
memory/3044-135-0x0000019CF1170000-0x0000019CF1192000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1
| MD5 | 8d4fc7d9b7f9ae031db6ac350af49861 |
| SHA1 | a57c563cc8406ef2ea4a8ad94972f039f053026e |
| SHA256 | 3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796 |
| SHA512 | 900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87 |
memory/3044-137-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe
| MD5 | b799e179c6512cdea8fc1b60f3ea68e7 |
| SHA1 | fd011070db46a5ba428d467b7a1596c186ea7b69 |
| SHA256 | 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e |
| SHA512 | a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33 |
memory/1744-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe
| MD5 | b799e179c6512cdea8fc1b60f3ea68e7 |
| SHA1 | fd011070db46a5ba428d467b7a1596c186ea7b69 |
| SHA256 | 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e |
| SHA512 | a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33 |
memory/3044-141-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp
memory/1744-142-0x0000000074CF0000-0x00000000752A1000-memory.dmp
memory/1744-143-0x0000000073AF0000-0x00000000745F0000-memory.dmp
memory/1744-144-0x0000000073260000-0x0000000073A08000-memory.dmp
memory/1744-145-0x0000000074CF0000-0x00000000752A1000-memory.dmp
memory/1744-146-0x0000000073AF0000-0x00000000745F0000-memory.dmp
memory/1744-147-0x0000000073260000-0x0000000073A08000-memory.dmp