Malware Analysis Report

2024-11-16 13:09

Sample ID 220604-qg979aggc6
Target 102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282
SHA256 102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282
Tags
upx limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282

Threat Level: Known bad

The file 102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282 was found to be: Known bad.

Malicious Activity Summary

upx limerat rat

LimeRAT

UPX packed file

Drops startup file

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-04 13:15

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-04 13:15

Reported

2022-06-04 16:34

Platform

win7-20220414-en

Max time kernel

174s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe"

Signatures

LimeRAT

rat limerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WWAHost.url C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1940 set thread context of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1940 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe

"C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp

Files

memory/1940-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

memory/1668-55-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1668-57-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1940-63-0x0000000000B80000-0x0000000000C9B000-memory.dmp

memory/1668-62-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1668-61-0x000000000040825E-mapping.dmp

memory/1668-64-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1668-66-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/1668-67-0x0000000073490000-0x0000000073F88000-memory.dmp

memory/1668-68-0x0000000072CF0000-0x000000007348C000-memory.dmp

memory/1668-69-0x0000000074620000-0x00000000747BB000-memory.dmp

memory/1668-70-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/1668-71-0x0000000074510000-0x0000000074614000-memory.dmp

memory/1668-72-0x0000000072B60000-0x0000000072CE8000-memory.dmp

memory/1668-73-0x0000000071F80000-0x0000000072B5E000-memory.dmp

memory/1668-74-0x0000000074290000-0x0000000074381000-memory.dmp

memory/1668-75-0x0000000071A40000-0x0000000071F76000-memory.dmp

memory/1668-76-0x0000000074510000-0x0000000074614000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-04 13:15

Reported

2022-06-04 16:34

Platform

win10v2004-20220414-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe"

Signatures

LimeRAT

rat limerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WWAHost.url C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4904 set thread context of 5056 N/A C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe

"C:\Users\Admin\AppData\Local\Temp\102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 204.79.197.200:443 tcp
US 20.189.173.6:443 tcp
CH 173.222.108.226:80 tcp
US 204.79.197.203:80 tcp
NL 104.97.14.80:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
US 104.20.67.143:443 pastebin.com tcp

Files

memory/4904-130-0x0000000000150000-0x000000000026B000-memory.dmp

memory/5056-131-0x0000000000000000-mapping.dmp

memory/5056-132-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4904-136-0x0000000000150000-0x000000000026B000-memory.dmp

memory/5056-137-0x0000000074ED0000-0x0000000075481000-memory.dmp

memory/5056-138-0x0000000073760000-0x0000000074260000-memory.dmp

memory/5056-139-0x0000000072FB0000-0x0000000073758000-memory.dmp

memory/5056-140-0x0000000074ED0000-0x0000000075481000-memory.dmp