limerat | 297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0

Analysis

max time kernel
44s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Size

164KB
MD5

df0b023471306ceb44a253d7cfd86abc
SHA1

36b498e04a1777bbea6582f9d1a0820f96cabe97
SHA256

297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0
SHA512

2334f5dad874d44b7180241247f959d36b5d58fe8625c2b5013dd6bd751998a5ad9055b3c5255b95cb8a05eda2a06f566ab77bd45a54bd6923588c05b76e956c
SSDEEP

3072:/I/0W2G4b/gFbGbj2koc34mwAEoznq1vK7rbKO5oqoO0MhwNz:/RjG40RGb3X34Hknq1cm20NN

Score

10^/10

limerat evasion ransomware rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1092-54-0x0000000000E90000-0x0000000000EBE000-memory.dmp	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
384	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 9 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2036	vssadmin.exe
852	vssadmin.exe
1756	vssadmin.exe
1472	vssadmin.exe
1308	vssadmin.exe
432	vssadmin.exe
2008	vssadmin.exe
1468	vssadmin.exe
316	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeBackupPrivilege	2044	vssvc.exe
Token: SeRestorePrivilege	2044	vssvc.exe
Token: SeAuditPrivilege	2044	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 384	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	27
PID 1092 wrote to memory of 384	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	27
PID 1092 wrote to memory of 384	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	27
PID 1092 wrote to memory of 1480	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	30
PID 1092 wrote to memory of 1480	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	30
PID 1092 wrote to memory of 1480	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	30
PID 1092 wrote to memory of 1968	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	32
PID 1092 wrote to memory of 1968	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	32
PID 1092 wrote to memory of 1968	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	32
PID 1092 wrote to memory of 1888	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	33
PID 1092 wrote to memory of 1888	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	33
PID 1092 wrote to memory of 1888	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	33
PID 1092 wrote to memory of 1928	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	35
PID 1092 wrote to memory of 1928	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	35
PID 1092 wrote to memory of 1928	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	35
PID 1092 wrote to memory of 2012	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	36
PID 1092 wrote to memory of 2012	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	36
PID 1092 wrote to memory of 2012	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	36
PID 1092 wrote to memory of 1500	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	38
PID 1092 wrote to memory of 1500	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	38
PID 1092 wrote to memory of 1500	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	38
PID 1092 wrote to memory of 1556	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	41
PID 1092 wrote to memory of 1556	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	41
PID 1092 wrote to memory of 1556	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	41
PID 1968 wrote to memory of 432	1968	cmd.exe	46
PID 1968 wrote to memory of 432	1968	cmd.exe	46
PID 1968 wrote to memory of 432	1968	cmd.exe	46
PID 1092 wrote to memory of 1732	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	42
PID 1092 wrote to memory of 1732	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	42
PID 1092 wrote to memory of 1732	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	42
PID 1092 wrote to memory of 1060	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	43
PID 1092 wrote to memory of 1060	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	43
PID 1092 wrote to memory of 1060	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	43
PID 1092 wrote to memory of 1560	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	48
PID 1092 wrote to memory of 1560	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	48
PID 1092 wrote to memory of 1560	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	48
PID 1092 wrote to memory of 1652	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	50
PID 1092 wrote to memory of 1652	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	50
PID 1092 wrote to memory of 1652	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	50
PID 1092 wrote to memory of 1144	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	51
PID 1092 wrote to memory of 1144	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	51
PID 1092 wrote to memory of 1144	1092	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	51
PID 2012 wrote to memory of 1308	2012	cmd.exe	62
PID 2012 wrote to memory of 1308	2012	cmd.exe	62
PID 2012 wrote to memory of 1308	2012	cmd.exe	62
PID 1500 wrote to memory of 1472	1500	cmd.exe	60
PID 1500 wrote to memory of 1472	1500	cmd.exe	60
PID 1500 wrote to memory of 1472	1500	cmd.exe	60
PID 1888 wrote to memory of 1900	1888	cmd.exe	59
PID 1888 wrote to memory of 1900	1888	cmd.exe	59
PID 1888 wrote to memory of 1900	1888	cmd.exe	59
PID 1928 wrote to memory of 2036	1928	cmd.exe	53
PID 1928 wrote to memory of 2036	1928	cmd.exe	53
PID 1928 wrote to memory of 2036	1928	cmd.exe	53
PID 1556 wrote to memory of 1756	1556	cmd.exe	58
PID 1556 wrote to memory of 1756	1556	cmd.exe	58
PID 1556 wrote to memory of 1756	1556	cmd.exe	58
PID 1732 wrote to memory of 852	1732	cmd.exe	54
PID 1732 wrote to memory of 852	1732	cmd.exe	54
PID 1732 wrote to memory of 852	1732	cmd.exe	54
PID 1060 wrote to memory of 316	1060	cmd.exe	57
PID 1060 wrote to memory of 316	1060	cmd.exe	57
PID 1060 wrote to memory of 316	1060	cmd.exe	57
PID 1652 wrote to memory of 2008	1652	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 26 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Roaming\Help\explorer.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:432
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1308
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:852
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:316
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:1560
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-54-0x0000000000E90000-0x0000000000EBE000-memory.dmp

Filesize
184KB

Download
memory/1480-58-0x000007FEEC590000-0x000007FEECFB3000-memory.dmp

Filesize
10.1MB

Download
memory/1480-62-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1480-61-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1480-60-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1480-59-0x000007FEEBA30000-0x000007FEEC58D000-memory.dmp

Filesize
11.4MB

Download
memory/1480-57-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download