Analysis Overview
SHA256
acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03
Threat Level: Known bad
The file acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 06:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 06:24
Reported
2022-07-01 07:37
Platform
win7-20220414-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjhghfe.exe.lnk | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 812 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe
"C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe" "%appdata%\uytfg\kjhghfe.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\uytfg\kjhghfe.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\uytfg\kjhghfe.exe.jpg" kjhghfe.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp |
Files
memory/812-54-0x0000000000390000-0x00000000004CC000-memory.dmp
memory/812-55-0x0000000000300000-0x0000000000314000-memory.dmp
memory/812-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
memory/1488-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe
| MD5 | 7521e0b9a3665d73b312ef7d84989280 |
| SHA1 | 93598ffa4785db27462c5f63f755ad08074d8ede |
| SHA256 | acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03 |
| SHA512 | 1b9f3fc03578e11860721e9c1a154dd784b7dfea3199da5cec2d97d61ea8ee3a7544c7faedf50bbf291976fa91571286654d04c92657caf3cff215d47ac11855 |
memory/1260-59-0x0000000000000000-mapping.dmp
memory/1736-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/1924-63-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1924-62-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1924-65-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1924-67-0x00000000004080CE-mapping.dmp
memory/1924-66-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/1924-70-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1924-72-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 9af17c8393f0970ee5136bd3ffa27001 |
| SHA1 | 4b285b72c1a11285a25f31f2597e090da6bbc049 |
| SHA256 | 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019 |
| SHA512 | b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3 |
memory/1700-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe.bat
| MD5 | 8963649f488693713e08bf3764b8df19 |
| SHA1 | 5c369411d10c0c7a7c21ba519a83124f0ecdcfc7 |
| SHA256 | 309e79a3e46212f79b58e1c44a10b9204af1f75500de1f69f24f705572db03ff |
| SHA512 | 28fd0f0068e24a6c39e5572c611da61ac5d213e29c9a9dad8906ee6bf7a3ef9a57888fabf10b08616842ae34a4e1fe5639fe42b61d3333f19419c4b9203816a9 |
memory/1752-76-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 06:24
Reported
2022-07-01 07:38
Platform
win10v2004-20220414-en
Max time kernel
161s
Max time network
171s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjhghfe.exe.lnk | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1564 set thread context of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe
"C:\Users\Admin\AppData\Local\Temp\acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03.exe" "%appdata%\uytfg\kjhghfe.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\uytfg\kjhghfe.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "%appdata%\uytfg\kjhghfe.exe.jpg" kjhghfe.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
Network
| Country | Destination | Domain | Proto |
| JP | 40.74.98.195:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp | |
| DE | 193.161.193.99:44611 | tcp |
Files
memory/1564-130-0x00000000005F0000-0x000000000072C000-memory.dmp
memory/1564-131-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/1564-132-0x0000000005150000-0x00000000051E2000-memory.dmp
memory/1564-133-0x00000000051F0000-0x000000000528C000-memory.dmp
memory/224-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe
| MD5 | 7521e0b9a3665d73b312ef7d84989280 |
| SHA1 | 93598ffa4785db27462c5f63f755ad08074d8ede |
| SHA256 | acdb00a4f455657e0e18a8b593d09340eb2818ec14e4a4a7d44a21de57ad3f03 |
| SHA512 | 1b9f3fc03578e11860721e9c1a154dd784b7dfea3199da5cec2d97d61ea8ee3a7544c7faedf50bbf291976fa91571286654d04c92657caf3cff215d47ac11855 |
memory/4828-136-0x0000000000000000-mapping.dmp
memory/4144-137-0x0000000000000000-mapping.dmp
memory/2124-138-0x0000000000000000-mapping.dmp
memory/2124-139-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 8fdf47e0ff70c40ed3a17014aeea4232 |
| SHA1 | e6256a0159688f0560b015da4d967f41cbf8c9bd |
| SHA256 | ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82 |
| SHA512 | bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be |
memory/3248-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\uytfg\kjhghfe.exe.bat
| MD5 | 8963649f488693713e08bf3764b8df19 |
| SHA1 | 5c369411d10c0c7a7c21ba519a83124f0ecdcfc7 |
| SHA256 | 309e79a3e46212f79b58e1c44a10b9204af1f75500de1f69f24f705572db03ff |
| SHA512 | 28fd0f0068e24a6c39e5572c611da61ac5d213e29c9a9dad8906ee6bf7a3ef9a57888fabf10b08616842ae34a4e1fe5639fe42b61d3333f19419c4b9203816a9 |
memory/4424-144-0x0000000000000000-mapping.dmp
memory/2124-145-0x00000000057D0000-0x0000000005836000-memory.dmp