Analysis
-
max time kernel
148s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 17:35
Static task
static1
Behavioral task
behavioral1
Sample
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe
Resource
win7-20220812-en
General
-
Target
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe
-
Size
339KB
-
MD5
e456517631e88d6c617afcaf827a95c9
-
SHA1
6d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
-
SHA256
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
-
SHA512
d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b
-
SSDEEP
6144:qp3Fy+BoE7P9N6S29r3HwArJngn2lojvCe11qR:wVhF7P9Nz0r3Q+JNOvf1
Malware Config
Extracted
limerat
-
aes_key
IRj3SceatjDfweW/qMMw7g==
-
antivm
true
-
c2_url
https://pastebin.com/raw/p8Be8nNX
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Update.exe
-
main_folder
UserProfile
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid Process 1748 Windows Update.exe 1196 Windows Update.exe -
Loads dropped DLL 2 IoCs
Processes:
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeWindows Update.exepid Process 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 1748 Windows Update.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeWindows Update.exedescription pid Process procid_target PID 2000 set thread context of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 1748 set thread context of 1196 1748 Windows Update.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
Windows Update.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Windows Update.exedescription pid Process Token: SeDebugPrivilege 1196 Windows Update.exe Token: SeDebugPrivilege 1196 Windows Update.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeda5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeWindows Update.exedescription pid Process procid_target PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 2000 wrote to memory of 1796 2000 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 27 PID 1796 wrote to memory of 272 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 29 PID 1796 wrote to memory of 272 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 29 PID 1796 wrote to memory of 272 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 29 PID 1796 wrote to memory of 272 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 29 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1796 wrote to memory of 1748 1796 da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe 31 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32 PID 1748 wrote to memory of 1196 1748 Windows Update.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe"C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe"C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"3⤵
- Creates scheduled task(s)
PID:272
-
-
C:\Users\Admin\Windows\Windows Update.exe"C:\Users\Admin\Windows\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\Windows\Windows Update.exe"C:\Users\Admin\Windows\Windows Update.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5e456517631e88d6c617afcaf827a95c9
SHA16d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
SHA256da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
SHA512d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b
-
Filesize
339KB
MD5e456517631e88d6c617afcaf827a95c9
SHA16d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
SHA256da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
SHA512d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b
-
Filesize
339KB
MD5e456517631e88d6c617afcaf827a95c9
SHA16d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
SHA256da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
SHA512d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b
-
Filesize
339KB
MD5e456517631e88d6c617afcaf827a95c9
SHA16d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
SHA256da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
SHA512d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b
-
Filesize
339KB
MD5e456517631e88d6c617afcaf827a95c9
SHA16d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
SHA256da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
SHA512d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b