Analysis Overview
SHA256
20e5879450485048a3a74c4e8f261012e04a0ad7bafb93e4eadd6481495021a3
Threat Level: Known bad
The file 20e5879450485048a3a74c4e8f261012e04a0ad7bafb93e4eadd6481495021a3 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Maps connected drives based on registry
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
NSIS installer
Creates scheduled task(s)
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 10:18
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win7-20220414-en
Max time kernel
9s
Max time network
47s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Newtonsoft.Json.dll",#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
50s
Max time network
42s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.orionkeylogger.com | udp |
Files
memory/756-54-0x0000000000AB0000-0x0000000000BCA000-memory.dmp
memory/756-55-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp
memory/756-56-0x0000000000160000-0x0000000000170000-memory.dmp
memory/756-57-0x0000000000430000-0x000000000044E000-memory.dmp
memory/756-58-0x0000000000530000-0x000000000056C000-memory.dmp
memory/756-59-0x000000001AE97000-0x000000001AEB6000-memory.dmp
memory/756-60-0x000000001AE97000-0x000000001AEB6000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
43s
Max time network
48s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 532 wrote to memory of 1788 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
Network
Files
memory/1788-54-0x0000000000000000-mapping.dmp
memory/1788-55-0x0000000075701000-0x0000000075703000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
134s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Booya Theme.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.19:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 104.208.16.89:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win7-20220414-en
Max time kernel
43s
Max time network
48s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Mono.Cecil.dll",#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
150s
Max time network
189s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe"
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
"C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe"
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe'"
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
"C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
Files
memory/1304-54-0x00000000753B1000-0x00000000753B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1904-57-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/2032-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/1904-64-0x0000000001290000-0x000000000129C000-memory.dmp
memory/2032-65-0x00000000010F0000-0x00000000010F8000-memory.dmp
memory/544-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1520-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1520-74-0x0000000001390000-0x000000000139C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
156s
Max time network
171s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.orionkeylogger.com | udp |
| NL | 8.238.24.126:80 | tcp | |
| NL | 8.238.24.126:80 | tcp | |
| IE | 52.109.76.31:443 | tcp |
Files
memory/2520-130-0x00000285F8290000-0x00000285F83AA000-memory.dmp
memory/2520-131-0x00000285F8720000-0x00000285F8730000-memory.dmp
memory/2520-132-0x00007FF8F2F10000-0x00007FF8F39D1000-memory.dmp
memory/2520-133-0x00000285FA030000-0x00000285FA04E000-memory.dmp
memory/2520-134-0x00000285FA7B0000-0x00000285FA7EC000-memory.dmp
memory/2520-135-0x00007FF8F2F10000-0x00007FF8F39D1000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\RedPandaUI.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 52.152.108.96:443 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| US | 13.89.178.26:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win10v2004-20220414-en
Max time kernel
153s
Max time network
207s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2512 wrote to memory of 2368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 668
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.4:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
memory/2368-130-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\961API.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.2:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win7-20220414-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\MintUI.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 3944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 3944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2040 wrote to memory of 3944 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.247.211.126:80 | tcp | |
| US | 67.24.25.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
Files
memory/3944-130-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
9s
Max time network
46s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Booya Theme.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\KeikoObfuscator.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 52.182.141.63:443 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
21s
Max time network
46s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\KeikoObfuscator.dll",#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\MintUI.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.189.173.2:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
208s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Mono.Cecil.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 13.107.4.50:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win10v2004-20220414-en
Max time kernel
183s
Max time network
209s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Newtonsoft.Json.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.189.173.9:443 | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win7-20220414-en
Max time kernel
19s
Max time network
46s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 280 wrote to memory of 1924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
Network
Files
memory/1924-54-0x0000000000000000-mapping.dmp
memory/1924-55-0x0000000075541000-0x0000000075543000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:45
Platform
win7-20220414-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\RedPandaUI.dll",#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win7-20220414-en
Max time kernel
46s
Max time network
52s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\961API.dll",#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe"
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
"C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe"
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe'"
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
"C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| NL | 20.190.160.136:443 | tcp | |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| NL | 20.190.160.71:443 | tcp | |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
Files
memory/4884-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/4464-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/4884-136-0x0000000000A60000-0x0000000000A6C000-memory.dmp
memory/4464-137-0x0000000000F20000-0x0000000000F28000-memory.dmp
memory/4884-138-0x00000000053E0000-0x000000000547C000-memory.dmp
memory/4884-139-0x0000000005480000-0x00000000054E6000-memory.dmp
memory/4884-140-0x00000000062E0000-0x0000000006884000-memory.dmp
memory/4428-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/4320-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/4320-145-0x0000000006730000-0x00000000067C2000-memory.dmp