Analysis Overview
SHA256
151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992
Threat Level: Known bad
The file 151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-09 08:22
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-09 08:22
Reported
2022-06-09 14:00
Platform
win10v2004-20220414-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSW0RD.lnk | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2680 set thread context of 3628 | N/A | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe
"C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
Files
memory/2680-130-0x0000000000680000-0x00000000006BA000-memory.dmp
memory/2680-131-0x00000000056B0000-0x0000000005C54000-memory.dmp
memory/2680-132-0x0000000005050000-0x00000000050E2000-memory.dmp
memory/2680-133-0x0000000005410000-0x0000000005486000-memory.dmp
memory/2680-134-0x0000000005490000-0x00000000054AE000-memory.dmp
memory/2680-135-0x0000000005C60000-0x0000000005CFC000-memory.dmp
memory/1968-136-0x0000000000000000-mapping.dmp
memory/3628-137-0x0000000000000000-mapping.dmp
memory/3628-138-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3628-139-0x0000000004EB0000-0x0000000004F16000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-09 08:22
Reported
2022-06-09 14:00
Platform
win7-20220414-en
Max time kernel
147s
Max time network
187s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSW0RD.lnk | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1304 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe
"C:\Users\Admin\AppData\Local\Temp\151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp | |
| DE | 79.134.225.72:2121 | tcp |
Files
memory/1304-54-0x0000000000330000-0x000000000036A000-memory.dmp
memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmp
memory/1304-56-0x00000000004B0000-0x00000000004D6000-memory.dmp
memory/1304-57-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/1304-58-0x00000000021B0000-0x00000000021C6000-memory.dmp
memory/1632-59-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-60-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-62-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-63-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-64-0x0000000000408D4E-mapping.dmp
memory/1632-66-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-68-0x0000000000400000-0x000000000040C000-memory.dmp