Analysis Overview
SHA256
102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282
Threat Level: Known bad
The file 102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
UPX packed file
Drops startup file
Maps connected drives based on registry
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-04 13:15
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-04 13:15
Reported
2022-06-04 16:34
Platform
win7-20220414-en
Max time kernel
174s
Max time network
178s
Command Line
Signatures
LimeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WWAHost.url | C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1940 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe
"C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
Files
memory/1940-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
memory/1668-55-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1668-57-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1940-63-0x0000000000B80000-0x0000000000C9B000-memory.dmp
memory/1668-62-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1668-61-0x000000000040825E-mapping.dmp
memory/1668-64-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1668-66-0x00000000748C0000-0x0000000074E6B000-memory.dmp
memory/1668-67-0x0000000073490000-0x0000000073F88000-memory.dmp
memory/1668-68-0x0000000072CF0000-0x000000007348C000-memory.dmp
memory/1668-69-0x0000000074620000-0x00000000747BB000-memory.dmp
memory/1668-70-0x00000000748C0000-0x0000000074E6B000-memory.dmp
memory/1668-71-0x0000000074510000-0x0000000074614000-memory.dmp
memory/1668-72-0x0000000072B60000-0x0000000072CE8000-memory.dmp
memory/1668-73-0x0000000071F80000-0x0000000072B5E000-memory.dmp
memory/1668-74-0x0000000074290000-0x0000000074381000-memory.dmp
memory/1668-75-0x0000000071A40000-0x0000000071F76000-memory.dmp
memory/1668-76-0x0000000074510000-0x0000000074614000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-04 13:15
Reported
2022-06-04 16:34
Platform
win10v2004-20220414-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
LimeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WWAHost.url | C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4904 set thread context of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe
"C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| CH | 173.222.108.226:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
Files
memory/4904-130-0x0000000000150000-0x000000000026B000-memory.dmp
memory/5056-131-0x0000000000000000-mapping.dmp
memory/5056-132-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4904-136-0x0000000000150000-0x000000000026B000-memory.dmp
memory/5056-137-0x0000000074ED0000-0x0000000075481000-memory.dmp
memory/5056-138-0x0000000073760000-0x0000000074260000-memory.dmp
memory/5056-139-0x0000000072FB0000-0x0000000073758000-memory.dmp
memory/5056-140-0x0000000074ED0000-0x0000000075481000-memory.dmp