Overview

overview

10

Static

static

7ad16b89dc...dd.exe

windows7-x64

10

7ad16b89dc...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    213s
  • max time network
    289s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ad16b89dca2eb27739b917c6c5bbc36d79d9569a894f885b24123798a4e23dd.exe

  • Size

    788KB

  • MD5

    ccbd4702039d93625bb570203cf02e82

  • SHA1

    2f7ffe46081765f24c9ec249535968f6b2dad2f2

  • SHA256

    7ad16b89dca2eb27739b917c6c5bbc36d79d9569a894f885b24123798a4e23dd

  • SHA512

    80e7c5572f1feb44ef2b3f7265a2d03b3bfe89bcbbcfcf666bc7d627912d2fd8c59909dda805288e0570846662433a693f3ad577370ec3027bdd2d7c21c2540f

  • SSDEEP

    6144:M+rw37ApOBEbdRjeijEfU3XYfu+xYFeHxms6lCZ6TF2GNgCnpGlbLG6faG5rzfFR:ELnjf4utUIMGlnGeaPXBhg

Score
10/10
limeratrat

Malware Config

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ad16b89dca2eb27739b917c6c5bbc36d79d9569a894f885b24123798a4e23dd.exe
    "C:\Users\Admin\AppData\Local\Temp\7ad16b89dca2eb27739b917c6c5bbc36d79d9569a894f885b24123798a4e23dd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Audio Realtek \Audio Realtek Driver.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:4736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3532-132-0x0000000000590000-0x000000000065A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3532-133-0x0000000004E90000-0x0000000004F2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3532-134-0x0000000004F80000-0x0000000004FE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3532-135-0x0000000005CB0000-0x0000000006254000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4736-136-0x0000000000000000-mapping.dmp

    Download