limerat | b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486

Analysis

max time kernel
164s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
Size

3.8MB
MD5

6d3d9ba1c944e0c0ae366f559a61e497
SHA1

61ba8c88597523562dc86354ebee6476c0d33c6a
SHA256

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486
SHA512

3381a6e5891a4d7af3ea07a561c317975fc4060933d9b0821bf4a20f70b529c35cafe27d1d87f6b98e77d62abb9ea9927372df3fcaffa0944a38b7f163e0820d

Score

10^/10

limerat remcos sality warzonerat host backdoor evasion infostealer rat trojan upx

Malware Config

Extracted

Family

warzonerat

grounderwarone.rapiddns.ru:5500

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

limerat

Wallets

1BVfdhbuDbDuMXWErhTv8XwgwYP1K34oTD

Attributes

aes_key
MAXS20
antivm
false
c2_url
https://pastebin.com/raw/vnPLhhBH
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

seasons444.ddns.net:8128

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
window
keylog_path
%AppData%
mouse_option
false
mutex
Office_vgqkluqlnw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2700-139-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/2700-142-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

Amadeus Pro.exeService.exe

pid process

1804 Amadeus Pro.exe
3456 Service.exe

pid	process
1804	Amadeus Pro.exe
3456	Service.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3120-147-0x0000000002F50000-0x0000000003FDE000-memory.dmp	upx
behavioral2/memory/3120-153-0x0000000002F50000-0x0000000003FDE000-memory.dmp	upx
behavioral2/memory/3120-158-0x0000000002F50000-0x0000000003FDE000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

Drops startup file 3 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AppxSip.url	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AssignedAccessShellProxy.url	Amadeus Pro.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIHClient.url	Service.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Service.exe	autoit_exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

svchost.exe

description ioc process

File opened for modification C:\autorun.inf svchost.exe

description	ioc	process
File opened for modification	C:\autorun.inf	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeService.exeAmadeus Pro.exe

description	pid	process	target process
PID 4516 set thread context of 2700	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 3456 set thread context of 1896	3456	Service.exe	MSBuild.exe
PID 1804 set thread context of 3120	1804	Amadeus Pro.exe	svchost.exe

Drops file in Program Files directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

pid	process
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeService.exeAmadeus Pro.exe

pid	process
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
3456	Service.exe
1804	Amadeus Pro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe
Token: SeDebugPrivilege	3120	svchost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

pid	process
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1804	Amadeus Pro.exe
1804	Amadeus Pro.exe
1804	Amadeus Pro.exe
3456	Service.exe
3456	Service.exe
3456	Service.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeAmadeus Pro.exeService.exe

pid	process
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
1804	Amadeus Pro.exe
1804	Amadeus Pro.exe
1804	Amadeus Pro.exe
3456	Service.exe
3456	Service.exe
3456	Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3120 svchost.exe

pid	process
3120	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeb021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exeService.exeAmadeus Pro.exesvchost.exe

description	pid	process	target process
PID 4516 wrote to memory of 1804	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 4516 wrote to memory of 1804	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 4516 wrote to memory of 1804	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Amadeus Pro.exe
PID 4516 wrote to memory of 3456	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 4516 wrote to memory of 3456	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 4516 wrote to memory of 3456	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	Service.exe
PID 4516 wrote to memory of 5072	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 4516 wrote to memory of 5072	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 4516 wrote to memory of 5072	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 4516 wrote to memory of 2700	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 4516 wrote to memory of 2700	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 4516 wrote to memory of 2700	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 4516 wrote to memory of 2700	4516	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 2700 wrote to memory of 4540	2700	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	cmd.exe
PID 2700 wrote to memory of 4540	2700	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	cmd.exe
PID 2700 wrote to memory of 4540	2700	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	cmd.exe
PID 2700 wrote to memory of 4540	2700	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	cmd.exe
PID 2700 wrote to memory of 4540	2700	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe	cmd.exe
PID 3456 wrote to memory of 1896	3456	Service.exe	MSBuild.exe
PID 3456 wrote to memory of 1896	3456	Service.exe	MSBuild.exe
PID 3456 wrote to memory of 1896	3456	Service.exe	MSBuild.exe
PID 3456 wrote to memory of 1896	3456	Service.exe	MSBuild.exe
PID 1804 wrote to memory of 3120	1804	Amadeus Pro.exe	svchost.exe
PID 1804 wrote to memory of 3120	1804	Amadeus Pro.exe	svchost.exe
PID 1804 wrote to memory of 3120	1804	Amadeus Pro.exe	svchost.exe
PID 1804 wrote to memory of 3120	1804	Amadeus Pro.exe	svchost.exe
PID 3120 wrote to memory of 780	3120	svchost.exe	fontdrvhost.exe
PID 3120 wrote to memory of 788	3120	svchost.exe	fontdrvhost.exe
PID 3120 wrote to memory of 332	3120	svchost.exe	dwm.exe
PID 3120 wrote to memory of 2304	3120	svchost.exe	sihost.exe
PID 3120 wrote to memory of 2328	3120	svchost.exe	svchost.exe
PID 3120 wrote to memory of 2444	3120	svchost.exe	taskhostw.exe
PID 3120 wrote to memory of 3032	3120	svchost.exe	Explorer.EXE
PID 3120 wrote to memory of 3076	3120	svchost.exe	svchost.exe
PID 3120 wrote to memory of 3268	3120	svchost.exe	DllHost.exe
PID 3120 wrote to memory of 3368	3120	svchost.exe	StartMenuExperienceHost.exe
PID 3120 wrote to memory of 3476	3120	svchost.exe	RuntimeBroker.exe
PID 3120 wrote to memory of 3592	3120	svchost.exe	SearchApp.exe
PID 3120 wrote to memory of 3804	3120	svchost.exe	RuntimeBroker.exe
PID 3120 wrote to memory of 4108	3120	svchost.exe	RuntimeBroker.exe
PID 3120 wrote to memory of 3496	3120	svchost.exe	backgroundTaskHost.exe
PID 3120 wrote to memory of 4516	3120	svchost.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 3120 wrote to memory of 4516	3120	svchost.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 3120 wrote to memory of 1804	3120	svchost.exe	Amadeus Pro.exe
PID 3120 wrote to memory of 1804	3120	svchost.exe	Amadeus Pro.exe
PID 3120 wrote to memory of 3456	3120	svchost.exe	Service.exe
PID 3120 wrote to memory of 3456	3120	svchost.exe	Service.exe
PID 3120 wrote to memory of 2700	3120	svchost.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 3120 wrote to memory of 2700	3120	svchost.exe	b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
PID 3120 wrote to memory of 4540	3120	svchost.exe	cmd.exe
PID 3120 wrote to memory of 4540	3120	svchost.exe	cmd.exe
PID 3120 wrote to memory of 3788	3120	svchost.exe	Conhost.exe
PID 3120 wrote to memory of 1864	3120	svchost.exe	backgroundTaskHost.exe
PID 3120 wrote to memory of 1896	3120	svchost.exe	MSBuild.exe
PID 3120 wrote to memory of 1896	3120	svchost.exe	MSBuild.exe
PID 3120 wrote to memory of 780	3120	svchost.exe	fontdrvhost.exe
PID 3120 wrote to memory of 788	3120	svchost.exe	fontdrvhost.exe
PID 3120 wrote to memory of 332	3120	svchost.exe	dwm.exe
PID 3120 wrote to memory of 2304	3120	svchost.exe	sihost.exe
PID 3120 wrote to memory of 2328	3120	svchost.exe	svchost.exe
PID 3120 wrote to memory of 2444	3120	svchost.exe	taskhostw.exe
PID 3120 wrote to memory of 3032	3120	svchost.exe	Explorer.EXE
PID 3120 wrote to memory of 3076	3120	svchost.exe	svchost.exe
PID 3120 wrote to memory of 3268	3120	svchost.exe	DllHost.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2304

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3476

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3592

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
"C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
4⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe
"C:\Users\Admin\AppData\Local\Temp\b021151e316236971da6954e9a96fe7f9d7af1082d1f83ce0e83fea6caf37486.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3788

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2328

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amadeus Pro.exe
Filesize
1.4MB

MD5
8b4457fb66a7bfc6473a7b186e1a2dca

SHA1
6b372c817d41d37c5c866cdd49590f4e7256b194

SHA256
5e930cfb504a85cc6b6d69ddb1bbc0ad65e96fb5a4fbedcdfd898751c019e74c

SHA512
098a8d1419f514c93b06fd1eb3e6c902e858e1a8042e1c69f406d21d665ec80b329c29fe274e933f39b0ce411a84e5b6ccf869efa85d19c16d600ae8edb5d663

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service.exe
Filesize
1.2MB

MD5
8c23d701fb7cacfcf9fc11a6dcb959b3

SHA1
b02c49d558e9c1a5a6ecf03736220d5c96cb7d27

SHA256
25ce41531868c4522ac837d56ef3720b3ddef753f68903be2d8f79e28ebd0a48

SHA512
4e8e068a02e930227f839fe67cbba76c9c82fb664801ec16d5a7e38090ede83011c6adcf314170a891a08f206d247e0bc8445bb056f6aa5ed32da5fb82808cb6

Download Submit
memory/1804-130-0x0000000000000000-mapping.dmp

Download
memory/1804-144-0x0000000003050000-0x000000000307B000-memory.dmp

Filesize
172KB

Download
memory/1804-151-0x0000000002F90000-0x0000000002FBA000-memory.dmp

Filesize
168KB

Download
memory/1896-156-0x0000000006DC0000-0x0000000006E52000-memory.dmp

Filesize
584KB

Download
memory/1896-154-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/1896-155-0x0000000006670000-0x0000000006C14000-memory.dmp

Filesize
5.6MB

Download
memory/1896-149-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/1896-148-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1896-145-0x0000000000000000-mapping.dmp

Download
memory/2700-137-0x0000000000000000-mapping.dmp

Download
memory/2700-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2700-142-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3120-147-0x0000000002F50000-0x0000000003FDE000-memory.dmp

Filesize
16.6MB

Download
memory/3120-146-0x0000000000000000-mapping.dmp

Download
memory/3120-152-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3120-153-0x0000000002F50000-0x0000000003FDE000-memory.dmp

Filesize
16.6MB

Download
memory/3120-157-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3120-158-0x0000000002F50000-0x0000000003FDE000-memory.dmp

Filesize
16.6MB

Download
memory/3456-143-0x0000000001640000-0x0000000001648000-memory.dmp

Filesize
32KB

Download
memory/3456-150-0x0000000001650000-0x0000000001658000-memory.dmp

Filesize
32KB

Download
memory/3456-133-0x0000000000000000-mapping.dmp

Download
memory/4516-138-0x0000000003F60000-0x0000000003F7A000-memory.dmp

Filesize
104KB

Download
memory/4516-136-0x0000000003F40000-0x0000000003F5A000-memory.dmp

Filesize
104KB

Download
memory/4540-141-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/4540-140-0x0000000000000000-mapping.dmp

Download