Analysis Overview
SHA256
2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
Threat Level: Known bad
The file 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-15 02:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-15 02:42
Reported
2022-06-15 06:14
Platform
win7-20220414-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe
"C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Runtimebroker\Runtimebrokers.exe'"
C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
"C:\Users\Admin\Runtimebroker\Runtimebrokers.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp |
Files
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
memory/1668-55-0x0000000073FE0000-0x000000007458B000-memory.dmp
memory/760-56-0x0000000000000000-mapping.dmp
memory/916-59-0x0000000000000000-mapping.dmp
\Users\Admin\Runtimebroker\Runtimebrokers.exe
| MD5 | bc9abd0fbf42ca1b0b66795ed0824fe1 |
| SHA1 | 1653c76116eb002fef4a5c608d43d706b2321931 |
| SHA256 | 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 |
| SHA512 | d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151 |
C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
| MD5 | bc9abd0fbf42ca1b0b66795ed0824fe1 |
| SHA1 | 1653c76116eb002fef4a5c608d43d706b2321931 |
| SHA256 | 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 |
| SHA512 | d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151 |
\Users\Admin\Runtimebroker\Runtimebrokers.exe
| MD5 | bc9abd0fbf42ca1b0b66795ed0824fe1 |
| SHA1 | 1653c76116eb002fef4a5c608d43d706b2321931 |
| SHA256 | 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 |
| SHA512 | d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151 |
C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
| MD5 | bc9abd0fbf42ca1b0b66795ed0824fe1 |
| SHA1 | 1653c76116eb002fef4a5c608d43d706b2321931 |
| SHA256 | 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 |
| SHA512 | d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151 |
memory/1668-63-0x0000000073FE0000-0x000000007458B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 308336e7f515478969b24c13ded11ede |
| SHA1 | 8fb0cf42b77dbbef224a1e5fc38abc2486320775 |
| SHA256 | 889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9 |
| SHA512 | 61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da73b867d97793115f55e8c60f8350f6 |
| SHA1 | 798e7e8096078b3f695657ee278178d256e1a578 |
| SHA256 | adfd025a600d12c23595d67663789ffd4ac34dc63ab7a735f0a5a7fc676505fa |
| SHA512 | 95d1a84716c3cd07aa2174a1083b231e65ac18cba1ecac5d3f1e8818e985f4d3d3cfec4c2a7966c7779fd71337c911b3f94448ce734d4a23159bb4b8cd51398e |
memory/916-66-0x0000000073FE0000-0x000000007458B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585
| MD5 | 163082fb6c2e49842dab5fb327927491 |
| SHA1 | 2cb37aa0ceb946b8bda5d46aa5fc9ec3346bf6ae |
| SHA256 | 4d9dd78f3f93e15e7035303e514e24956df43a9a44054e6b1846dc78a57bce24 |
| SHA512 | 411349aa0d0822d3163550db8acddc4874e4c0a8290101ba429ba124f57deff9eedcf9c624ff198970769bfaf613ecc983d12c376c63b2df2c015be4cd3941e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585
| MD5 | b48904601e49f6627643b3c9d71fc279 |
| SHA1 | f3ff854608be9184d558952510f0c29ea6b5ab6d |
| SHA256 | cf58886984ed3affc8d1ae04609c7506be4231c2d54c44a9865f069e427f4ad5 |
| SHA512 | e99f9d907b15603e9e3993ea151963a22e662bb8fa29b67dafa7755b41246c2effad2722e0ab113abe65296917dbc81354b66c74972ebbd5ed51528e40e5dde1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
| MD5 | c88135f33bb4a6fa790f9a60edd29399 |
| SHA1 | dbc07ee2267570b92a2d218cd0803f304c2b00cb |
| SHA256 | 4276ad1519dc90d47c157a6b3b0801856a0ff74f1d266fd3c95ccbb238843332 |
| SHA512 | 6eea50953590871193d368ba1bab1a172ae35d01e4def8e86b36bc0b05f1cb6db9b3297e3f5b199bc7c26e6059406be5766e9c6cb60b34eb16d3952132479f3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
| MD5 | 867d1585e407039eb54f3dbe2232c2a8 |
| SHA1 | 9d3d3de20cfc76c9889773b40a3a73e6b5b29357 |
| SHA256 | 17766ed79761b520eda853fa8a2c37169a5ffc937edda57cec2c8889bbfcea21 |
| SHA512 | 6bd8be89f6f3270c8b748f3abbb0d27818543ff607314eaeb0e57a07485458ddef72a70acafa79ed06e1b3bdcc5cbf47d711ad501f172f1e2970dd94253d5f00 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js
| MD5 | f11ea133fdda0acbbe217f2da22451f3 |
| SHA1 | 03f16c90b1b5f0c6e31f2076ee7ade07627f433c |
| SHA256 | 0cfcf39780002a28f14a59e787b1131b7392f31d1e990b5499f36fa2a581fd62 |
| SHA512 | ed81732f17d371894cfadc6cb4277a0ebff689c4fc6904c53934d274859b6480a77b8483cf2814f9245b104b736ca3fdba97b8629b06170b0e9d4f30a318306c |
memory/916-72-0x0000000073FE0000-0x000000007458B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-15 02:42
Reported
2022-06-15 06:14
Platform
win10v2004-20220414-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Runtimebroker\Runtimebrokers.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe
"C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Runtimebroker\Runtimebrokers.exe'"
C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
"C:\Users\Admin\Runtimebroker\Runtimebrokers.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 209.182.219.33:5656 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp | |
| US | 209.182.219.33:5656 | tcp |
Files
memory/4492-130-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/1820-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
| MD5 | bc9abd0fbf42ca1b0b66795ed0824fe1 |
| SHA1 | 1653c76116eb002fef4a5c608d43d706b2321931 |
| SHA256 | 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 |
| SHA512 | d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151 |
memory/4032-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
| MD5 | bc9abd0fbf42ca1b0b66795ed0824fe1 |
| SHA1 | 1653c76116eb002fef4a5c608d43d706b2321931 |
| SHA256 | 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 |
| SHA512 | d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585
| MD5 | 163082fb6c2e49842dab5fb327927491 |
| SHA1 | 2cb37aa0ceb946b8bda5d46aa5fc9ec3346bf6ae |
| SHA256 | 4d9dd78f3f93e15e7035303e514e24956df43a9a44054e6b1846dc78a57bce24 |
| SHA512 | 411349aa0d0822d3163550db8acddc4874e4c0a8290101ba429ba124f57deff9eedcf9c624ff198970769bfaf613ecc983d12c376c63b2df2c015be4cd3941e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585
| MD5 | 10794d8f8a703a374c8942b4b2d31eb2 |
| SHA1 | 86ee59b6fcf2a513d1ec66fa532d181c255be666 |
| SHA256 | 917b488b9e614052480638acf8742c84b04de69603e976474acb37216d3e0356 |
| SHA512 | 4a3303810d9fbcf78a9bf1534c72a8f747068bd86e794ee3c6cc6f6ec3592ea20a59aea888fc51ea2b9b60ab5edc3c422c7a86e9f41aadc3d13939e4139f1989 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
| MD5 | c88135f33bb4a6fa790f9a60edd29399 |
| SHA1 | dbc07ee2267570b92a2d218cd0803f304c2b00cb |
| SHA256 | 4276ad1519dc90d47c157a6b3b0801856a0ff74f1d266fd3c95ccbb238843332 |
| SHA512 | 6eea50953590871193d368ba1bab1a172ae35d01e4def8e86b36bc0b05f1cb6db9b3297e3f5b199bc7c26e6059406be5766e9c6cb60b34eb16d3952132479f3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
| MD5 | 09a6d60d31b6046b5ca6f0b646839d93 |
| SHA1 | 6ed5429cc04aeeea57d68f3506ccc487fc15d18f |
| SHA256 | e2cdadff0fa6df88e07fefcf05b1b2d6f141fe6d4fd967897d6cb43a2edc18ee |
| SHA512 | 736ffd214cbe783369a458f1af322ad29287178843b75d05e7e4ee7665a62f19890fa2fb666de92fd83a5e40c1d3ff02c52ff4b9a194426db2b3faa19e1558c8 |
memory/4492-139-0x00000000752A0000-0x0000000075851000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js
| MD5 | f11ea133fdda0acbbe217f2da22451f3 |
| SHA1 | 03f16c90b1b5f0c6e31f2076ee7ade07627f433c |
| SHA256 | 0cfcf39780002a28f14a59e787b1131b7392f31d1e990b5499f36fa2a581fd62 |
| SHA512 | ed81732f17d371894cfadc6cb4277a0ebff689c4fc6904c53934d274859b6480a77b8483cf2814f9245b104b736ca3fdba97b8629b06170b0e9d4f30a318306c |
memory/4032-141-0x00000000752A0000-0x0000000075851000-memory.dmp
memory/4032-142-0x00000000752A0000-0x0000000075851000-memory.dmp