Overview

overview

10

Static

static

10

5646485080...10.exe

windows7-x64

10

5646485080...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2022 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56464850801241284AE026A58BF65CF22D5B7F0800A10.exe

  • Size

    108KB

  • MD5

    018f06156f16a08a4689179458972941

  • SHA1

    7215c5f8a21e715d932908aa4c640333afac5f1c

  • SHA256

    56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9

  • SHA512

    88e1b4c09311d58098815fd41e5c08f43b8884b1e5c659110c0cbb052df550abafb0cf24526c903e7fd9ca7c0a2abe19fdaf116c06d92a0ef41a0e8db2955fd5

  • SSDEEP

    3072:4siUbw3GIz12qSfX10gzg8wZ29iFparpaaWruERzxaiEacrMtAs8UqDC4RaVRtmy:Jq3GIz12qSfX10gzg8wZ29iFparpaaWM

Score
10/10
limeratpersistencerat

Malware Config

Extracted

Family

limerat

Wallets

38ZggxKrjJSn9XmS8sM1iTQhX3K6ny5u6E

Attributes
  • aes_key

    beodz

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/nEZ87Pwx

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \MicrosoftData\

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Blocklisted process makes network request 12 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
    "C:\Users\Admin\AppData\Local\Temp\56464850801241284AE026A58BF65CF22D5B7F0800A10.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe'"
        3⤵
        • Creates scheduled task(s)
        PID:4016
      • C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
        "C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1232
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\t.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\t.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:4740
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\z.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\z.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:4920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\t.vbs
    Filesize

    15KB

    MD5

    f1f6c2f5f157315eacc6fa592fde70c9

    SHA1

    dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

    SHA256

    74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

    SHA512

    08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\z.vbs
    Filesize

    47KB

    MD5

    411c29da4ca50b15ae8432d23089ea6f

    SHA1

    b8cee3ce1398129e4967e3098722ebb49576b5d7

    SHA256

    8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

    SHA512

    7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs
    Filesize

    47KB

    MD5

    411c29da4ca50b15ae8432d23089ea6f

    SHA1

    b8cee3ce1398129e4967e3098722ebb49576b5d7

    SHA256

    8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

    SHA512

    7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\t.vbs
    Filesize

    15KB

    MD5

    f1f6c2f5f157315eacc6fa592fde70c9

    SHA1

    dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

    SHA256

    74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

    SHA512

    08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\z.vbs
    Filesize

    47KB

    MD5

    411c29da4ca50b15ae8432d23089ea6f

    SHA1

    b8cee3ce1398129e4967e3098722ebb49576b5d7

    SHA256

    8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

    SHA512

    7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

    Download Submit

  • memory/1232-154-0x0000000006AC0000-0x0000000006B52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1232-151-0x0000000000000000-mapping.dmp

    Download

  • memory/2220-132-0x00007FFE4D700000-0x00007FFE4E136000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3876-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4016-150-0x0000000000000000-mapping.dmp

    Download

  • memory/4240-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4716-144-0x0000000000B90000-0x0000000000B9C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4716-149-0x0000000006750000-0x0000000006CF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4716-148-0x0000000005B40000-0x0000000005BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4716-147-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4716-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4740-140-0x0000000000000000-mapping.dmp

    Download

  • memory/4920-141-0x0000000000000000-mapping.dmp

    Download