Malware Analysis Report

2024-11-16 13:09

Sample ID 220603-fyxndadcbq
Target new.exe
SHA256 bf96da63e4b63f9077e70f7333b15174d5b9a5c19a04a3cd8a6ac7aa1dba15d4
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf96da63e4b63f9077e70f7333b15174d5b9a5c19a04a3cd8a6ac7aa1dba15d4

Threat Level: Known bad

The file new.exe was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-03 05:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-03 05:17

Reported

2022-06-03 05:20

Platform

win10v2004-20220414-en

Max time kernel

176s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\new.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\new.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2300 set thread context of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe
PID 2300 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\new.exe C:\Users\Admin\AppData\Local\Temp\new.exe

Processes

C:\Users\Admin\AppData\Local\Temp\new.exe

"C:\Users\Admin\AppData\Local\Temp\new.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 444 -p 2332 -ip 2332

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2332 -s 772

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KzSuNlCQoYKnH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4801.tmp"

C:\Users\Admin\AppData\Local\Temp\new.exe

"C:\Users\Admin\AppData\Local\Temp\new.exe"

C:\Users\Admin\AppData\Local\Temp\new.exe

"C:\Users\Admin\AppData\Local\Temp\new.exe"

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
US 52.168.117.170:443 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 204.79.197.203:80 api.msn.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
CA 54.39.245.150:4204 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
CA 54.39.245.150:4204 tcp
CA 54.39.245.150:4204 tcp
CA 54.39.245.150:4204 tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp

Files

memory/2300-130-0x0000000000330000-0x00000000003F2000-memory.dmp

memory/2300-131-0x0000000004D20000-0x0000000004DBC000-memory.dmp

memory/2300-132-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/2300-133-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/2300-134-0x0000000004E40000-0x0000000004E4A000-memory.dmp

memory/2300-135-0x0000000005060000-0x00000000050B6000-memory.dmp

memory/3600-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4801.tmp

MD5 c4b7cd676a5559e5e0f8b7c9b0c93460
SHA1 36bdc8d9f791b5f40c7b7f7137a54b249540fde5
SHA256 e486ed41cf4545848401d57b6fafc1675d29c20ffd81ac93aa54aaed103ec08f
SHA512 fef00b55ad06a819df92124d19fc58cf22cc5d22560a5b962e3d09159efcb4312a5bdb8ccea9af4ab80e367482efb7e5a739913fe484113be9d75c5fe917c030

memory/1820-138-0x0000000000000000-mapping.dmp

memory/3816-139-0x0000000000000000-mapping.dmp

memory/3816-140-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/3816-142-0x0000000005100000-0x0000000005166000-memory.dmp