limerat | 98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
Size

332KB
MD5

a3e1ee0eaca1c17b5c1956bd09d198b0
SHA1

840f647a39d9d520441ebc4d8f58e215fbcafcd3
SHA256

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7
SHA512

189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e
SSDEEP

6144:rP0d79h8N+c8ruZNX0d8vHDOCELIu/Q7gQQBjsj6tD4IA4T1qR:ro9CF+SNXUAHkP/SPQBjsrm1

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/p8Be8nNX
delay
3
download_payload
false
install
true
install_name
Windows Update.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid	Process
980	Windows Update.exe
1660	Windows Update.exe

Loads dropped DLL 2 IoCs

Processes:

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exeWindows Update.exe

pid	Process
1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
980	Windows Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exeWindows Update.exe

description	pid	Process	procid_target
PID 1204 set thread context of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 980 set thread context of 1660	980	Windows Update.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1044	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exeWindows Update.exeWindows Update.exe

description	pid	Process
Token: SeDebugPrivilege	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
Token: SeDebugPrivilege	980	Windows Update.exe
Token: SeDebugPrivilege	1660	Windows Update.exe
Token: SeDebugPrivilege	1660	Windows Update.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exeWindows Update.exe

description	pid	Process	procid_target
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1204 wrote to memory of 1088	1204	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	27
PID 1088 wrote to memory of 1044	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	29
PID 1088 wrote to memory of 1044	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	29
PID 1088 wrote to memory of 1044	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	29
PID 1088 wrote to memory of 1044	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	29
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 1088 wrote to memory of 980	1088	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	31
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32
PID 980 wrote to memory of 1660	980	Windows Update.exe	32

C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
"C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
  "C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1044
- - C:\Users\Admin\Windows\Windows Update.exe
    "C:\Users\Admin\Windows\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\Windows\Windows Update.exe
      "C:\Users\Admin\Windows\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
memory/980-69-0x0000000000000000-mapping.dmp

Download
memory/980-72-0x0000000000BA0000-0x0000000000BFA000-memory.dmp

Filesize
360KB

Download
memory/1044-66-0x0000000000000000-mapping.dmp

Download
memory/1088-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-67-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1088-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1088-61-0x0000000000408D5E-mapping.dmp

Download
memory/1204-54-0x0000000000240000-0x000000000029A000-memory.dmp

Filesize
360KB

Download
memory/1204-55-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1660-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1660-82-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1660-79-0x0000000000408D5E-mapping.dmp

Download