Analysis Overview
SHA256
2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3
Threat Level: Known bad
The file 2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 23:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 23:11
Reported
2022-06-21 23:14
Platform
win7-20220414-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 272 | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 908 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 1728 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\global\Ethernet.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe
"C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x15rcn15\x15rcn15.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AF.tmp" "c:\Users\Admin\AppData\Local\Temp\x15rcn15\CSC9A7A4B41EA114C1393E034CA764A678E.TMP"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn Ethernet /MO 1 /tr "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {CCAEEBC2-96E9-414D-96E5-670212925470} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iy0dcvh4\iy0dcvh4.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF20.tmp" "c:\Users\Admin\AppData\Local\Temp\iy0dcvh4\CSCB3467EA65A1461EA4EB951AC3145D6.TMP"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5rbd14rp\5rbd14rp.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5F6.tmp" "c:\Users\Admin\AppData\Local\Temp\5rbd14rp\CSC9978C900478248EA9595FF3646209C24.TMP"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
Files
memory/1660-54-0x0000000000C00000-0x0000000000C26000-memory.dmp
memory/1660-55-0x0000000000230000-0x0000000000238000-memory.dmp
memory/912-56-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\x15rcn15\x15rcn15.cmdline
| MD5 | 444f7805fd6ef25ec4a594d0362c2e37 |
| SHA1 | 3ddcd86da1403e6fc35673b09808f7201542f626 |
| SHA256 | 157c7cc7db4ab5a8e47d13707ecb9dd3f6382ca72623c890ccf48672dfd239d8 |
| SHA512 | f61ee6a560543c26de0a5fae8078f201b5f09d563cc8a1d052241edf97941852e62304e02cbb7f5a021c597b126db0a838148e2ed06671f5fb8deaf66a821233 |
\??\c:\Users\Admin\AppData\Local\Temp\x15rcn15\x15rcn15.0.cs
| MD5 | 38ca37eafe03d8f9c9324484795402bf |
| SHA1 | 4cc028fd81e7dcdbf9de360b71f0d66259a7a399 |
| SHA256 | 10272281e324dac2e39caa13af6c447ede6f2a64da9bf2ca47388d693c5f7424 |
| SHA512 | 3f625b39aa0c83318f8ea30b468497ace4baf1f1bcb77fa3718aa5cbc94a6bbd474163bbc639a4fff9ae1e8a4061709f929d7e4bd265344fb12e6bd0b64a48d6 |
memory/1004-59-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\x15rcn15\CSC9A7A4B41EA114C1393E034CA764A678E.TMP
| MD5 | 599f71e62efae7af99e0afd947d7db52 |
| SHA1 | efa9b6cf044131a189970dde795541743cc458d2 |
| SHA256 | 0c0f5f7f736d7a570f82abdf9eecd2de192965dff0cfc52147ab5c60c8449eb0 |
| SHA512 | c1f4be28c7e4cbcb379b15525a14a99e2cd63673c5ebfad13ff4a2009d491ed5085ca775b962f47f35e28e0a83b44edd5a7138bb1b2b3f0942d11eedcc38508d |
C:\Users\Admin\AppData\Local\Temp\RES7AF.tmp
| MD5 | f27c9b73e04794bde4cee1b3eda657ef |
| SHA1 | 1242241fc466932db7118c2a62dd0754ca6ac8db |
| SHA256 | 972b8d18d7bf07b839cd92d68ed67f777d2b5e90cea2e0e8d3beef65841899fe |
| SHA512 | 370a7514a7f67fd1a2bc6a276e61db8c38c2b31d3336b8abaec1b4ed1421f382e85cb88b560f3509e65bf289b0f07ef263a73e45860df2dc1a75d3763838c835 |
memory/1660-64-0x0000000000420000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x15rcn15\x15rcn15.pdb
| MD5 | e8ebeb5ef49b7ba1f55f0f15babb632a |
| SHA1 | 6b0826a48ca40c0e2f776cdbdecfac20c8f00ca6 |
| SHA256 | 6ffb9969beef19b7ffeba06a667215993862c1aa75792b646e208cbf6c792a49 |
| SHA512 | 1c72b94f63569bc7faddca8918951c1a2d6df504af77944cea26600af61791dcc601ddcece1f72c73b188536e66f9cde463ae29fd26dbd2c717f8722e79fd110 |
C:\Users\Admin\AppData\Local\Temp\x15rcn15\x15rcn15.dll
| MD5 | e3026e1061904f8f8e4a264c30182445 |
| SHA1 | fba74079bfc6786b5cf8522e13a7b9501c9d0dcc |
| SHA256 | e544a207739b378785a1e227a8d9f67f2f433dfa74ab0b9040fbe8769a04e20f |
| SHA512 | e6bd46eeacb68742bb163c5853a35fa0406f449fa27b73f5e9c21c6708e4400e3c317dae0ebb7e863423a70e0a34c24155a784512dcf861565ab65d042542742 |
memory/1660-65-0x00000000006B0000-0x00000000006C8000-memory.dmp
memory/1660-66-0x00000000004E0000-0x00000000004EC000-memory.dmp
memory/1660-67-0x0000000076781000-0x0000000076783000-memory.dmp
memory/1144-68-0x0000000000000000-mapping.dmp
memory/2020-69-0x0000000000000000-mapping.dmp
memory/1660-70-0x0000000000660000-0x000000000066C000-memory.dmp
memory/272-74-0x0000000000400000-0x000000000040C000-memory.dmp
memory/272-75-0x0000000000400000-0x000000000040C000-memory.dmp
memory/272-72-0x0000000000400000-0x000000000040C000-memory.dmp
memory/272-76-0x00000000004087AE-mapping.dmp
memory/272-71-0x0000000000400000-0x000000000040C000-memory.dmp
memory/272-78-0x0000000000400000-0x000000000040C000-memory.dmp
memory/272-80-0x0000000000400000-0x000000000040C000-memory.dmp
memory/272-82-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/272-83-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/900-84-0x000007FEFC331000-0x000007FEFC333000-memory.dmp
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
| MD5 | c71d20c012f7b4350c4a934afcd130f2 |
| SHA1 | a967ff6228345830899dbeb0a4471a22780ddea7 |
| SHA256 | 2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3 |
| SHA512 | 393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1 |
memory/908-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
| MD5 | c71d20c012f7b4350c4a934afcd130f2 |
| SHA1 | a967ff6228345830899dbeb0a4471a22780ddea7 |
| SHA256 | 2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3 |
| SHA512 | 393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1 |
memory/908-88-0x0000000000B60000-0x0000000000B86000-memory.dmp
memory/1760-89-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\iy0dcvh4\iy0dcvh4.cmdline
| MD5 | 3832749d845f61b568307de028a1645f |
| SHA1 | 32e0d3068dcf0363b38d2e0bb9849b0c5d11bf21 |
| SHA256 | a7e34f2470cc44c4dcb9dff40873bcd9274202a1d662c505d0cf71bcb985d0fa |
| SHA512 | ab48519bd83b829df00f7f55cc069438ae43215665526924bcf6efd19135711e9ef9fa0ccb38406c48e54d953047c035250ef1f36515f6baac94ba94fbabf405 |
\??\c:\Users\Admin\AppData\Local\Temp\iy0dcvh4\iy0dcvh4.0.cs
| MD5 | 38ca37eafe03d8f9c9324484795402bf |
| SHA1 | 4cc028fd81e7dcdbf9de360b71f0d66259a7a399 |
| SHA256 | 10272281e324dac2e39caa13af6c447ede6f2a64da9bf2ca47388d693c5f7424 |
| SHA512 | 3f625b39aa0c83318f8ea30b468497ace4baf1f1bcb77fa3718aa5cbc94a6bbd474163bbc639a4fff9ae1e8a4061709f929d7e4bd265344fb12e6bd0b64a48d6 |
memory/1612-92-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\iy0dcvh4\CSCB3467EA65A1461EA4EB951AC3145D6.TMP
| MD5 | c3449cf0ee910699dad0f66feda99eeb |
| SHA1 | b7a1e4086c235482f29f434a16b0a74291e810c1 |
| SHA256 | 79595f1b6cca7159dc3b5f4c753a6b6b2d695514c4f27972d7052435ba30fe95 |
| SHA512 | 85f0c5a3c7db7cd00f40ef94f7919d34fc64a7df4b7d3c24104ba9365bd4bc7af4b976aa1dd139a82aff099d93d5224f5c7575b35b1a139747f1227451593e78 |
C:\Users\Admin\AppData\Local\Temp\RESEF20.tmp
| MD5 | 953bd1c1d46bdb7051bf4c8f365e24e3 |
| SHA1 | d3dfcb74a0178b7badd071d5148eb7830be30e03 |
| SHA256 | a36d29d71db358bbddccc37f6a7549ce3fe021149e6d4049c289044f84c3b335 |
| SHA512 | ae55892eba37fd8e8a046f8411d93e941cf0db987cf42f3a86e05668c1d2925235fcd2282b9cc9633847353d238f2bfc122485b65a3c4421b883ce4da1075276 |
C:\Users\Admin\AppData\Local\Temp\iy0dcvh4\iy0dcvh4.dll
| MD5 | 2260111bf905d0133621214a9a03ad8d |
| SHA1 | e5495b904d6f72fbd3a46874477c4af2f64d68dc |
| SHA256 | 7a34ac8bdc71e43f89fd95ba4019cdbaa0fdf62b030cdd26c87f639b6f3f2cf2 |
| SHA512 | a8951f9b473e131976d1b3ef10668695ad39845b1f8601b660db4af3322af67172a23663b6133de7a5ce1e20453354ab90cbcdfc3547dfe3c543424e5ef1668c |
C:\Users\Admin\AppData\Local\Temp\iy0dcvh4\iy0dcvh4.pdb
| MD5 | 15faf62fe7ec89cba96a3a773c752c63 |
| SHA1 | c50d9fbaac81c06633342ac776142c36df30de18 |
| SHA256 | 7d215ee9bc45bd2d7cca39f30af9fb719497226080885820a1cbde8e74f79a82 |
| SHA512 | 6e4164b92628c4d998389c6a7e400d16a524c299e7592c9a293852abfdbf53f4c295936d37f2d6482ec69e9e560cd89b658024116d1ca0dd0a956f075f0f6ca0 |
memory/908-97-0x0000000000510000-0x0000000000518000-memory.dmp
memory/1292-99-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url
| MD5 | be22ba3f7e580c8a2dd9aa3bad570846 |
| SHA1 | d983c8161cf34410bfd6e35a89784f2b12e832c5 |
| SHA256 | ced2b040c61dc72e79c4d1a472fe81512cae022e0f15910c6dd111556f4b9b91 |
| SHA512 | a3d97ca34915a7db22fd45b3f04e73c184be0b804ff7e18a8e150520638067eebd97c9a3f83057a2c9fa90006f32ccb9d7f0b1ba7827c55f3fd95d427e54f108 |
memory/1144-106-0x00000000004087AE-mapping.dmp
memory/1144-112-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/1144-113-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/1728-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\global\Ethernet.exe
| MD5 | c71d20c012f7b4350c4a934afcd130f2 |
| SHA1 | a967ff6228345830899dbeb0a4471a22780ddea7 |
| SHA256 | 2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3 |
| SHA512 | 393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1 |
memory/1728-116-0x0000000001320000-0x0000000001346000-memory.dmp
memory/1648-117-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5rbd14rp\5rbd14rp.cmdline
| MD5 | 048cbc4c79d21dfca4ee859d56f1d0f3 |
| SHA1 | 3bc6eac2e90e2fde624bd341e57a988526705c8d |
| SHA256 | d7bef7544b308778afb04d64fa76ee079f13408d461c70365e992c7e2d0dd69b |
| SHA512 | 731f0325a104f802f588649309faf71ef055b0282a832cf55e18bd0cf93c475c92ad9190a226f079afd198e62b9cd06139f269c05e79b59e910b63efd934445b |
\??\c:\Users\Admin\AppData\Local\Temp\5rbd14rp\5rbd14rp.0.cs
| MD5 | 38ca37eafe03d8f9c9324484795402bf |
| SHA1 | 4cc028fd81e7dcdbf9de360b71f0d66259a7a399 |
| SHA256 | 10272281e324dac2e39caa13af6c447ede6f2a64da9bf2ca47388d693c5f7424 |
| SHA512 | 3f625b39aa0c83318f8ea30b468497ace4baf1f1bcb77fa3718aa5cbc94a6bbd474163bbc639a4fff9ae1e8a4061709f929d7e4bd265344fb12e6bd0b64a48d6 |
memory/1504-120-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5rbd14rp\CSC9978C900478248EA9595FF3646209C24.TMP
| MD5 | d9218834c8fb002ed5582f150ccf5ddc |
| SHA1 | 6de2698e7d968edf9007737678944909391ed948 |
| SHA256 | ec09665df085c72e52dc482a83c1222c1cbdddff76e8464ab2fc1169a81bb82e |
| SHA512 | e75075292a823d8df007213a1e8b46297e082271259009c8dcfaa141f08c0d28eb4e23c120e059cca03a562a4a76761c606c28624d13ed24c15f8154d244ab71 |
C:\Users\Admin\AppData\Local\Temp\RESD5F6.tmp
| MD5 | 59643c65369ccafb1a030dfd5a681f01 |
| SHA1 | 9ac59c127dc691106b51da2a5c0bff9b2ec58416 |
| SHA256 | ec1df4c5c12de875ff541fa8cca10f840de309ca89d03c6d2930218f946c3242 |
| SHA512 | 305f455d4c9cb16265bf6f6dc5eca1d3b1de917e52d8dd613107a826a6ee6cfc60b23823ed04cb9d23ae13f6d8ff46a05609562d07de2daff76ed2f64eea24ed |
C:\Users\Admin\AppData\Local\Temp\5rbd14rp\5rbd14rp.dll
| MD5 | c2527455d70954158f955e62dc71e95a |
| SHA1 | 59c615f64e60d9a1d6b9c54879c87606acbc564c |
| SHA256 | f0f5d5beed747a6b953bb0294f60d94e375fa59bac90387e5d5393f7e5c2ea8c |
| SHA512 | 8595ca2637407c8b49636a2412c56a7b37e262b7160fdb1dd35a5f001f7031bb4a90d5d043a43a68cd5e5c146f7d477a4230204102d5f0f1f19840627c6e0a79 |
C:\Users\Admin\AppData\Local\Temp\5rbd14rp\5rbd14rp.pdb
| MD5 | 7e6dc752c9cfcf102f804f7885cb0096 |
| SHA1 | 30e50f61d8973d5e865101643c09f7bebb3fecab |
| SHA256 | a825b3a8928a96c8221a1d7f348e588edb26e782761fa0f7e0bb7da162d57512 |
| SHA512 | ea466b70a971f4a3959087ed7c7da4f08ebf2707998419dad1656422c10b053ad05c556d7dd67f7d4529839a08a0dae14120ee9c68e50d2e9333318fb2844eb2 |
memory/1728-125-0x0000000000480000-0x0000000000488000-memory.dmp
memory/844-127-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url
| MD5 | be22ba3f7e580c8a2dd9aa3bad570846 |
| SHA1 | d983c8161cf34410bfd6e35a89784f2b12e832c5 |
| SHA256 | ced2b040c61dc72e79c4d1a472fe81512cae022e0f15910c6dd111556f4b9b91 |
| SHA512 | a3d97ca34915a7db22fd45b3f04e73c184be0b804ff7e18a8e150520638067eebd97c9a3f83057a2c9fa90006f32ccb9d7f0b1ba7827c55f3fd95d427e54f108 |
memory/2012-134-0x00000000004087AE-mapping.dmp
memory/2012-140-0x0000000074A70000-0x000000007501B000-memory.dmp
memory/2012-141-0x0000000074A70000-0x000000007501B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 23:11
Reported
2022-06-21 23:14
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ethernet.url | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3888 set thread context of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe
"C:\Users\Admin\AppData\Local\Temp\2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxy1jsgh\wxy1jsgh.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AE4.tmp" "c:\Users\Admin\AppData\Local\Temp\wxy1jsgh\CSCED37264F17DB4A9D8148F7825E943E.TMP"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /sc MINUTE /tn Ethernet /MO 1 /tr "C:\Users\Admin\AppData\Roaming\global\Ethernet.exe\
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| IE | 20.50.73.9:443 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
Files
memory/3888-130-0x0000000000A40000-0x0000000000A66000-memory.dmp
memory/3888-131-0x0000000005390000-0x0000000005422000-memory.dmp
memory/4904-132-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wxy1jsgh\wxy1jsgh.cmdline
| MD5 | f44ee17ae28365b31c4b43eb677de0e6 |
| SHA1 | 82924ee40d1fa0c6a99a545600131a1ac295496f |
| SHA256 | 8e78597bb2b56c76f6fa2bf762b9cc5e7daee8dc7b0bbc682c544426eede0417 |
| SHA512 | 68c696734853f79a0e3e9dc198802b67ecaa0b0b070c920645f1beed961366d407a8231c4bcc9cdb0abb76df6f10d84ccfb7cf644d85a2eacf21de7b7351bb32 |
\??\c:\Users\Admin\AppData\Local\Temp\wxy1jsgh\wxy1jsgh.0.cs
| MD5 | 38ca37eafe03d8f9c9324484795402bf |
| SHA1 | 4cc028fd81e7dcdbf9de360b71f0d66259a7a399 |
| SHA256 | 10272281e324dac2e39caa13af6c447ede6f2a64da9bf2ca47388d693c5f7424 |
| SHA512 | 3f625b39aa0c83318f8ea30b468497ace4baf1f1bcb77fa3718aa5cbc94a6bbd474163bbc639a4fff9ae1e8a4061709f929d7e4bd265344fb12e6bd0b64a48d6 |
memory/4200-135-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wxy1jsgh\CSCED37264F17DB4A9D8148F7825E943E.TMP
| MD5 | 4619bf571fa4935f5147c6a441e6016a |
| SHA1 | 35d8bf979643eb663c33911194b4be4fa0bc86e0 |
| SHA256 | b73d0914676c163cce287c4ed25fab818f921c09d75572b101654ee452a21f2a |
| SHA512 | 61e8ed71eec606ffb5f924885a095a0beb4474af2193760f313bf720df90b5c99cb3653398fb2fe638a4fef68c612f7e29d6ba6c05d4155db53b410ec7ca1158 |
C:\Users\Admin\AppData\Local\Temp\RES4AE4.tmp
| MD5 | 6ae1762d5b2941c4a45885191c2dd4e3 |
| SHA1 | 2f4fa48dd55ac419797c9f482c2654ed85aeea73 |
| SHA256 | 81467a65f2cb7153940268e22cc1f68e3fe9de6045e9a544c551ad1bac40b23c |
| SHA512 | 28ce055813a20aca1fef7f6972938b58533225de763045ee5038d0168d7874fcf1f1c59beac8052d80ad70ca045bab6fa2c0712356888c7582da3989028fda59 |
C:\Users\Admin\AppData\Local\Temp\wxy1jsgh\wxy1jsgh.dll
| MD5 | dad8a1eea2a4d286c348eafd107568fb |
| SHA1 | fadef421e203ac6c925c192b0d02a86bd3778127 |
| SHA256 | 1e0607c3be58df62040fc4edcbfc5f02be9d8657fc1f2f190485af253e61e3a1 |
| SHA512 | 9328506636981f06489291cda9cd928f4822c8110abe09a956ed8491e2bdd7aef7ec9feb2b184bf7bd5c934eee9c0da137f115d724e4c0708bff156e0d1e094b |
C:\Users\Admin\AppData\Local\Temp\wxy1jsgh\wxy1jsgh.pdb
| MD5 | 0c615134461bacd151a5228d2d163228 |
| SHA1 | 2e9c130ad7e299ae075da5fbac5a4a3a11e7ebaa |
| SHA256 | eebe7883dd2b9b8aa3bf0983023554f5c195cf2bab0602edbddf562dd4118d27 |
| SHA512 | fdd91dc9580f01eb73aff79b8e294236b1af78ff5782d9fa6a729c89ff1aae685abbc2038c9c523531a54d03163a0afcc7e9bb4bf89a38db5c7452f1cfdb39ca |
memory/4204-140-0x0000000000000000-mapping.dmp
memory/1264-141-0x0000000000000000-mapping.dmp
memory/3888-142-0x0000000005990000-0x0000000005A2C000-memory.dmp
memory/2024-143-0x0000000000000000-mapping.dmp
memory/2024-144-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2024-145-0x0000000075190000-0x0000000075741000-memory.dmp
memory/2024-146-0x0000000075190000-0x0000000075741000-memory.dmp