limerat | 64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe
Size

330KB
MD5

88157978da35d52fee44f25b3610aa60
SHA1

d67d981b38b82002f2f9e9e45c5c489368e8cda7
SHA256

64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc
SHA512

4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2
SSDEEP

6144:zK8lUvarEuKLH321cUx5zugbguHzYOi2Deq1qR1:zDEzSnbbg6l11q

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/p8Be8nNX
delay
3
download_payload
false
install
true
install_name
Windows Update.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid	Process
828	Windows Update.exe
576	Windows Update.exe

Loads dropped DLL 2 IoCs

Processes:

64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exeWindows Update.exe

pid	Process
1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe
828	Windows Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exeWindows Update.exe

description	pid	Process	procid_target
PID 1528 set thread context of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 828 set thread context of 576	828	Windows Update.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1512	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Windows Update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exeWindows Update.exeWindows Update.exe

description	pid	Process
Token: SeDebugPrivilege	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe
Token: SeDebugPrivilege	828	Windows Update.exe
Token: SeDebugPrivilege	576	Windows Update.exe
Token: SeDebugPrivilege	576	Windows Update.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exeWindows Update.exe

description	pid	Process	procid_target
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1528 wrote to memory of 1868	1528	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	27
PID 1868 wrote to memory of 1512	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	29
PID 1868 wrote to memory of 1512	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	29
PID 1868 wrote to memory of 1512	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	29
PID 1868 wrote to memory of 1512	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	29
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 1868 wrote to memory of 828	1868	64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe	31
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32
PID 828 wrote to memory of 576	828	Windows Update.exe	32

C:\Users\Admin\AppData\Local\Temp\64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe
"C:\Users\Admin\AppData\Local\Temp\64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe
  "C:\Users\Admin\AppData\Local\Temp\64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1512
- - C:\Users\Admin\Windows\Windows Update.exe
    "C:\Users\Admin\Windows\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\Windows\Windows Update.exe
      "C:\Users\Admin\Windows\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Windows\Windows Update.exe

Filesize
330KB

MD5
88157978da35d52fee44f25b3610aa60

SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7

SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc

SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
330KB

MD5
88157978da35d52fee44f25b3610aa60

SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7

SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc

SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
330KB

MD5
88157978da35d52fee44f25b3610aa60

SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7

SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc

SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2

Download Submit
\Users\Admin\Windows\Windows Update.exe

Filesize
330KB

MD5
88157978da35d52fee44f25b3610aa60

SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7

SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc

SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2

Download Submit
\Users\Admin\Windows\Windows Update.exe

Filesize
330KB

MD5
88157978da35d52fee44f25b3610aa60

SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7

SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc

SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2

Download Submit
memory/576-79-0x0000000000408D5E-mapping.dmp

Download
memory/828-72-0x0000000000850000-0x00000000008A8000-memory.dmp

Filesize
352KB

Download
memory/828-69-0x0000000000000000-mapping.dmp

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1528-55-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1528-54-0x0000000000D40000-0x0000000000D98000-memory.dmp

Filesize
352KB

Download
memory/1868-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-67-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1868-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-61-0x0000000000408D5E-mapping.dmp

Download
memory/1868-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1868-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download