Overview

overview

10

Static

static

10

5646485080...10.exe

windows7-x64

10

5646485080...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2022 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56464850801241284AE026A58BF65CF22D5B7F0800A10.exe

  • Size

    108KB

  • MD5

    018f06156f16a08a4689179458972941

  • SHA1

    7215c5f8a21e715d932908aa4c640333afac5f1c

  • SHA256

    56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9

  • SHA512

    88e1b4c09311d58098815fd41e5c08f43b8884b1e5c659110c0cbb052df550abafb0cf24526c903e7fd9ca7c0a2abe19fdaf116c06d92a0ef41a0e8db2955fd5

  • SSDEEP

    3072:4siUbw3GIz12qSfX10gzg8wZ29iFparpaaWruERzxaiEacrMtAs8UqDC4RaVRtmy:Jq3GIz12qSfX10gzg8wZ29iFparpaaWM

Score
10/10
limeratpersistencerat

Malware Config

Extracted

Family

limerat

Wallets

38ZggxKrjJSn9XmS8sM1iTQhX3K6ny5u6E

Attributes
  • aes_key

    beodz

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/nEZ87Pwx

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \MicrosoftData\

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Blocklisted process makes network request 14 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
    "C:\Users\Admin\AppData\Local\Temp\56464850801241284AE026A58BF65CF22D5B7F0800A10.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe'"
        3⤵
        • Creates scheduled task(s)
        PID:3160
      • C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
        "C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" "C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2420
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\t.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3812
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\t.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1532
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\z.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\z.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:4720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\t.vbs
    Filesize

    15KB

    MD5

    f1f6c2f5f157315eacc6fa592fde70c9

    SHA1

    dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

    SHA256

    74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

    SHA512

    08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\z.vbs
    Filesize

    47KB

    MD5

    411c29da4ca50b15ae8432d23089ea6f

    SHA1

    b8cee3ce1398129e4967e3098722ebb49576b5d7

    SHA256

    8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

    SHA512

    7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MicrosoftData\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.vbs
    Filesize

    15KB

    MD5

    f1f6c2f5f157315eacc6fa592fde70c9

    SHA1

    dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

    SHA256

    74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

    SHA512

    08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z.vbs
    Filesize

    47KB

    MD5

    411c29da4ca50b15ae8432d23089ea6f

    SHA1

    b8cee3ce1398129e4967e3098722ebb49576b5d7

    SHA256

    8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

    SHA512

    7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    28KB

    MD5

    10d4fb7e4295a4a518aa9355db980e5d

    SHA1

    1974f67c6fc402b1aa805b5bdf628b045349016b

    SHA256

    e716064b119002efcbe4389cf49eb737be4ff37a515ab87dedb7ab834c975cf5

    SHA512

    ee5106defd6b63b38ce10869c227c16fc07fe19bdd4a5255dff50155b6ab2d2861fb363b536c276fae597d796c87ed47b4834ecce60277c6c73b02b00c9e3d1c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\t.vbs
    Filesize

    15KB

    MD5

    f1f6c2f5f157315eacc6fa592fde70c9

    SHA1

    dcdcf3850e7c9b01fd353b06b3fbfaef7737601b

    SHA256

    74743029cfecb65d3eaa59c287ab85376d17fc6e0dc3e6a6a7ad04bb448e3523

    SHA512

    08861ff095da4a47649a90edb5700a989fd5603ea56e60db319295928a3351d5b97bed06ee4a184a18e8ea3642dc18a2dfd0f371292f87ce4c91fffdf20b5b4f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\z.vbs
    Filesize

    47KB

    MD5

    411c29da4ca50b15ae8432d23089ea6f

    SHA1

    b8cee3ce1398129e4967e3098722ebb49576b5d7

    SHA256

    8698a17d6a6c296fb7ce932cb86b9db610bd3056cf4183a273506829d71f86b2

    SHA512

    7ba5dde15bb497fab59e2b993d7e9a2da84359f9af97297628d7163a4cd3e3a49d08136ad43f3af7dbacaeba6d874c76e09a7b6a0aad15f03caa70fc31972949

    Download Submit

  • memory/1048-132-0x00007FFA04FD0000-0x00007FFA05A06000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/2288-144-0x00000000056A0000-0x000000000573C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2288-141-0x0000000000750000-0x000000000075C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2288-148-0x0000000005740000-0x00000000057A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2288-149-0x0000000006460000-0x0000000006A04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2420-156-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4908-154-0x0000000006570000-0x0000000006602000-memory.dmp

    Filesize

    584KB

    Download