Malware Analysis Report

2024-11-16 13:10

Sample ID 220708-jn15lafhgq
Target 2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c
SHA256 2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c
Tags
limerat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c

Threat Level: Known bad

The file 2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c was found to be: Known bad.

Malicious Activity Summary

limerat persistence rat

LimeRAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-08 07:49

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-08 07:49

Reported

2022-07-08 14:16

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wservices.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wservices.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 4588 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 4588 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 5008 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 5008 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 5008 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 2612 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 2612 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 2612 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe

"C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x500 0x394

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"

C:\Users\Admin\AppData\Roaming\Wservices.exe

"C:\Users\Admin\AppData\Roaming\Wservices.exe"

Network

Country Destination Domain Proto
US 52.168.117.170:443 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.238.111.126:80 tcp
US 8.238.111.126:80 tcp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp
US 8.8.8.8:53 xxxydns.ddns.net udp

Files

memory/5008-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 a3f3e2f4aaa25be455083154003a7ee8
SHA1 8fc3c30e3d6264d530d72f56574d1ef825ff172b
SHA256 326519dd7b1a36176a2b032c9d77cdba1e7c354bf0f0ab2370d3578022e970c5
SHA512 96d7b3f270cde1581cae67be793cd7e65248ca999b1d28770ec71b35d00790427f0d83dec6870366f3ea72cb3507b0b7befa3f28871fd220e8d26d6df3b2d746

memory/2612-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

memory/2612-142-0x00000000009C0000-0x00000000009CC000-memory.dmp

memory/2612-143-0x0000000005290000-0x000000000532C000-memory.dmp

memory/2612-144-0x00000000051F0000-0x0000000005256000-memory.dmp

memory/2612-145-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/1500-146-0x0000000000000000-mapping.dmp

memory/376-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

C:\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-08 07:49

Reported

2022-07-08 14:16

Platform

win7-20220414-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe"

Signatures

LimeRAT

rat limerat

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wservices.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Wservices.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 536 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1748 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe
PID 1264 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Users\Admin\AppData\Roaming\Wservices.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe

"C:\Users\Admin\AppData\Local\Temp\2c101158bc22949b549721104417f3eda0a7ca4c10bb88fc0ee95bc8a54b606c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"

C:\Users\Admin\AppData\Roaming\Wservices.exe

"C:\Users\Admin\AppData\Roaming\Wservices.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 xxxydns.ddns.net udp

Files

memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

memory/1748-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 a3f3e2f4aaa25be455083154003a7ee8
SHA1 8fc3c30e3d6264d530d72f56574d1ef825ff172b
SHA256 326519dd7b1a36176a2b032c9d77cdba1e7c354bf0f0ab2370d3578022e970c5
SHA512 96d7b3f270cde1581cae67be793cd7e65248ca999b1d28770ec71b35d00790427f0d83dec6870366f3ea72cb3507b0b7befa3f28871fd220e8d26d6df3b2d746

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

memory/1264-72-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

memory/1264-77-0x00000000010D0000-0x00000000010DC000-memory.dmp

memory/840-78-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

memory/980-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

C:\Users\Admin\AppData\Roaming\Wservices.exe

MD5 8da711f66eb3f97005d58f523bd731c8
SHA1 57df1db64a9b864b6920687a30dfd643cd74ee93
SHA256 5dfb7c442c43632d36fc7e2b7dad7e73c50233fe17d018b617aeb368cc08bbd3
SHA512 208dc4d6237623ccf4abfb2667793880a1ff6b89e23425d4d884a252f818bfd3a6fe470df833bd13e5ecfd90c7afb924a210a3d7bbaf5c798dc99e9b9f9dad17

memory/980-87-0x0000000000380000-0x000000000038C000-memory.dmp