Analysis Overview
SHA256
fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
Threat Level: Known bad
The file fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Enumerates physical storage devices
NSIS installer
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 10:18
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win7-20220414-en
Max time kernel
149s
Max time network
187s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe
"C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe"
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
"C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe"
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe'"
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
"C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
Files
memory/1700-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1344-57-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/1072-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/1072-65-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/1344-64-0x0000000000E10000-0x0000000000E1C000-memory.dmp
memory/1040-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1996-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1996-74-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:40
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe
"C:\Users\Admin\AppData\Local\Temp\fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe"
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
"C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe"
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe'"
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
"C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 20.189.173.2:443 | tcp | |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
Files
memory/4424-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/4216-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/4424-140-0x0000000000ED0000-0x0000000000EDC000-memory.dmp
memory/4216-139-0x0000000000F50000-0x0000000000F58000-memory.dmp
memory/4424-141-0x0000000005840000-0x00000000058DC000-memory.dmp
memory/4424-142-0x00000000058E0000-0x0000000005946000-memory.dmp
memory/4424-143-0x0000000006540000-0x0000000006AE4000-memory.dmp
memory/4028-144-0x0000000000000000-mapping.dmp
memory/4068-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/4068-148-0x0000000006700000-0x0000000006792000-memory.dmp