Malware Analysis Report

2024-11-16 13:08

Sample ID 220615-c639cahbhq
Target 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682

Threat Level: Known bad

The file 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682 was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-15 02:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-15 02:42

Reported

2022-06-15 06:14

Platform

win7-20220414-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Windows\SysWOW64\schtasks.exe
PID 1668 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
PID 1668 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
PID 1668 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Users\Admin\Runtimebroker\Runtimebrokers.exe
PID 1668 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe

"C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Runtimebroker\Runtimebrokers.exe'"

C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

"C:\Users\Admin\Runtimebroker\Runtimebrokers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp

Files

memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

memory/1668-55-0x0000000073FE0000-0x000000007458B000-memory.dmp

memory/760-56-0x0000000000000000-mapping.dmp

memory/916-59-0x0000000000000000-mapping.dmp

\Users\Admin\Runtimebroker\Runtimebrokers.exe

MD5 bc9abd0fbf42ca1b0b66795ed0824fe1
SHA1 1653c76116eb002fef4a5c608d43d706b2321931
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA512 d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151

C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

MD5 bc9abd0fbf42ca1b0b66795ed0824fe1
SHA1 1653c76116eb002fef4a5c608d43d706b2321931
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA512 d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151

\Users\Admin\Runtimebroker\Runtimebrokers.exe

MD5 bc9abd0fbf42ca1b0b66795ed0824fe1
SHA1 1653c76116eb002fef4a5c608d43d706b2321931
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA512 d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151

C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

MD5 bc9abd0fbf42ca1b0b66795ed0824fe1
SHA1 1653c76116eb002fef4a5c608d43d706b2321931
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA512 d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151

memory/1668-63-0x0000000073FE0000-0x000000007458B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 308336e7f515478969b24c13ded11ede
SHA1 8fb0cf42b77dbbef224a1e5fc38abc2486320775
SHA256 889b832323726a9f10ad03f85562048fdcfe20c9ff6f9d37412cf477b4e92ff9
SHA512 61ad97228cd6c3909ef3ac5e4940199971f293bdd0d5eb7916e60469573a44b6287c0fa1e0b6c1389df35eb6c9a7d2a61fdb318d4a886a3821ef5a9dab3ac24f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da73b867d97793115f55e8c60f8350f6
SHA1 798e7e8096078b3f695657ee278178d256e1a578
SHA256 adfd025a600d12c23595d67663789ffd4ac34dc63ab7a735f0a5a7fc676505fa
SHA512 95d1a84716c3cd07aa2174a1083b231e65ac18cba1ecac5d3f1e8818e985f4d3d3cfec4c2a7966c7779fd71337c911b3f94448ce734d4a23159bb4b8cd51398e

memory/916-66-0x0000000073FE0000-0x000000007458B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585

MD5 163082fb6c2e49842dab5fb327927491
SHA1 2cb37aa0ceb946b8bda5d46aa5fc9ec3346bf6ae
SHA256 4d9dd78f3f93e15e7035303e514e24956df43a9a44054e6b1846dc78a57bce24
SHA512 411349aa0d0822d3163550db8acddc4874e4c0a8290101ba429ba124f57deff9eedcf9c624ff198970769bfaf613ecc983d12c376c63b2df2c015be4cd3941e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585

MD5 b48904601e49f6627643b3c9d71fc279
SHA1 f3ff854608be9184d558952510f0c29ea6b5ab6d
SHA256 cf58886984ed3affc8d1ae04609c7506be4231c2d54c44a9865f069e427f4ad5
SHA512 e99f9d907b15603e9e3993ea151963a22e662bb8fa29b67dafa7755b41246c2effad2722e0ab113abe65296917dbc81354b66c74972ebbd5ed51528e40e5dde1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

MD5 c88135f33bb4a6fa790f9a60edd29399
SHA1 dbc07ee2267570b92a2d218cd0803f304c2b00cb
SHA256 4276ad1519dc90d47c157a6b3b0801856a0ff74f1d266fd3c95ccbb238843332
SHA512 6eea50953590871193d368ba1bab1a172ae35d01e4def8e86b36bc0b05f1cb6db9b3297e3f5b199bc7c26e6059406be5766e9c6cb60b34eb16d3952132479f3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

MD5 867d1585e407039eb54f3dbe2232c2a8
SHA1 9d3d3de20cfc76c9889773b40a3a73e6b5b29357
SHA256 17766ed79761b520eda853fa8a2c37169a5ffc937edda57cec2c8889bbfcea21
SHA512 6bd8be89f6f3270c8b748f3abbb0d27818543ff607314eaeb0e57a07485458ddef72a70acafa79ed06e1b3bdcc5cbf47d711ad501f172f1e2970dd94253d5f00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js

MD5 f11ea133fdda0acbbe217f2da22451f3
SHA1 03f16c90b1b5f0c6e31f2076ee7ade07627f433c
SHA256 0cfcf39780002a28f14a59e787b1131b7392f31d1e990b5499f36fa2a581fd62
SHA512 ed81732f17d371894cfadc6cb4277a0ebff689c4fc6904c53934d274859b6480a77b8483cf2814f9245b104b736ca3fdba97b8629b06170b0e9d4f30a318306c

memory/916-72-0x0000000073FE0000-0x000000007458B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-15 02:42

Reported

2022-06-15 06:14

Platform

win10v2004-20220414-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Runtimebroker\Runtimebrokers.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe

"C:\Users\Admin\AppData\Local\Temp\2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Runtimebroker\Runtimebrokers.exe'"

C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

"C:\Users\Admin\Runtimebroker\Runtimebrokers.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 209.182.219.33:5656 tcp
BE 67.27.154.126:80 tcp
US 20.42.65.89:443 tcp
BE 67.27.154.126:80 tcp
BE 67.27.154.126:80 tcp
BE 67.27.154.126:80 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp
US 209.182.219.33:5656 tcp

Files

memory/4492-130-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/1820-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

MD5 bc9abd0fbf42ca1b0b66795ed0824fe1
SHA1 1653c76116eb002fef4a5c608d43d706b2321931
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA512 d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151

memory/4032-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\Runtimebroker\Runtimebrokers.exe

MD5 bc9abd0fbf42ca1b0b66795ed0824fe1
SHA1 1653c76116eb002fef4a5c608d43d706b2321931
SHA256 2b4bc8b34bb3af3f7cbfe1496ca6c0144d2cecce197e3ab949c88b68db8b5682
SHA512 d545d28e1f466be859374e9a29c91389df1df4fe627fec681e5d0f105228d66bbc88e7750b56da2255ea764a9cf4057f9203ed4ba44460dd806539e4ba531151

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585

MD5 163082fb6c2e49842dab5fb327927491
SHA1 2cb37aa0ceb946b8bda5d46aa5fc9ec3346bf6ae
SHA256 4d9dd78f3f93e15e7035303e514e24956df43a9a44054e6b1846dc78a57bce24
SHA512 411349aa0d0822d3163550db8acddc4874e4c0a8290101ba429ba124f57deff9eedcf9c624ff198970769bfaf613ecc983d12c376c63b2df2c015be4cd3941e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585

MD5 10794d8f8a703a374c8942b4b2d31eb2
SHA1 86ee59b6fcf2a513d1ec66fa532d181c255be666
SHA256 917b488b9e614052480638acf8742c84b04de69603e976474acb37216d3e0356
SHA512 4a3303810d9fbcf78a9bf1534c72a8f747068bd86e794ee3c6cc6f6ec3592ea20a59aea888fc51ea2b9b60ab5edc3c422c7a86e9f41aadc3d13939e4139f1989

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

MD5 c88135f33bb4a6fa790f9a60edd29399
SHA1 dbc07ee2267570b92a2d218cd0803f304c2b00cb
SHA256 4276ad1519dc90d47c157a6b3b0801856a0ff74f1d266fd3c95ccbb238843332
SHA512 6eea50953590871193d368ba1bab1a172ae35d01e4def8e86b36bc0b05f1cb6db9b3297e3f5b199bc7c26e6059406be5766e9c6cb60b34eb16d3952132479f3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

MD5 09a6d60d31b6046b5ca6f0b646839d93
SHA1 6ed5429cc04aeeea57d68f3506ccc487fc15d18f
SHA256 e2cdadff0fa6df88e07fefcf05b1b2d6f141fe6d4fd967897d6cb43a2edc18ee
SHA512 736ffd214cbe783369a458f1af322ad29287178843b75d05e7e4ee7665a62f19890fa2fb666de92fd83a5e40c1d3ff02c52ff4b9a194426db2b3faa19e1558c8

memory/4492-139-0x00000000752A0000-0x0000000075851000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe.js

MD5 f11ea133fdda0acbbe217f2da22451f3
SHA1 03f16c90b1b5f0c6e31f2076ee7ade07627f433c
SHA256 0cfcf39780002a28f14a59e787b1131b7392f31d1e990b5499f36fa2a581fd62
SHA512 ed81732f17d371894cfadc6cb4277a0ebff689c4fc6904c53934d274859b6480a77b8483cf2814f9245b104b736ca3fdba97b8629b06170b0e9d4f30a318306c

memory/4032-141-0x00000000752A0000-0x0000000075851000-memory.dmp

memory/4032-142-0x00000000752A0000-0x0000000075851000-memory.dmp