Analysis Overview
SHA256
bf96da63e4b63f9077e70f7333b15174d5b9a5c19a04a3cd8a6ac7aa1dba15d4
Threat Level: Known bad
The file new.exe was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-03 05:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-03 05:17
Reported
2022-06-03 05:20
Platform
win10v2004-20220414-en
Max time kernel
176s
Max time network
183s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\new.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\new.exe | C:\Users\Admin\AppData\Local\Temp\new.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\new.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\new.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\new.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2332 -ip 2332
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2332 -s 772
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KzSuNlCQoYKnH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4801.tmp"
C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| US | 52.168.117.170:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 204.79.197.203:80 | api.msn.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| CA | 54.39.245.150:4204 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| CA | 54.39.245.150:4204 | tcp | |
| CA | 54.39.245.150:4204 | tcp | |
| CA | 54.39.245.150:4204 | tcp | |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
Files
memory/2300-130-0x0000000000330000-0x00000000003F2000-memory.dmp
memory/2300-131-0x0000000004D20000-0x0000000004DBC000-memory.dmp
memory/2300-132-0x0000000005420000-0x00000000059C4000-memory.dmp
memory/2300-133-0x0000000004E70000-0x0000000004F02000-memory.dmp
memory/2300-134-0x0000000004E40000-0x0000000004E4A000-memory.dmp
memory/2300-135-0x0000000005060000-0x00000000050B6000-memory.dmp
memory/3600-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4801.tmp
| MD5 | c4b7cd676a5559e5e0f8b7c9b0c93460 |
| SHA1 | 36bdc8d9f791b5f40c7b7f7137a54b249540fde5 |
| SHA256 | e486ed41cf4545848401d57b6fafc1675d29c20ffd81ac93aa54aaed103ec08f |
| SHA512 | fef00b55ad06a819df92124d19fc58cf22cc5d22560a5b962e3d09159efcb4312a5bdb8ccea9af4ab80e367482efb7e5a739913fe484113be9d75c5fe917c030 |
memory/1820-138-0x0000000000000000-mapping.dmp
memory/3816-139-0x0000000000000000-mapping.dmp
memory/3816-140-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/3816-142-0x0000000005100000-0x0000000005166000-memory.dmp