limerat | 9fd04a33577137b35d9fbe5ac37b8bc59fe107a259fc9430c2492afeaab80842

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Size

12.9MB
MD5

a364b35d4dbdcf328367df843a6286c1
SHA1

31a54c5118109afa7d5c7c465bb4d3b25c947284
SHA256

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
SHA512

e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826
SSDEEP

196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn

Score

10^/10

limerat quasar storage persistence rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

Slbw7KtgA7WecQEqcR

Attributes

encryption_key
BTg0dEybEXwn6MM90CP2
install_name
ccleaner.exe
log_directory
windowfirewalls
reconnect_delay
1
startup_key
windowsfirewall.msc
subdirectory
windowsfirewall

Extracted

Family

limerat

Wallets

13WHQ6XEobZYNAjHZPJHkDuzMS8TpgkRqm

Attributes

aes_key
key
antivm
true
c2_url
https://pastebin.com/raw/nW4J6TiP
delay
3
download_payload
false
install
true
install_name
windowsdefender.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

quasar

Attributes

reconnect_delay
1

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 16 IoCs

resource	yara_rule
behavioral1/files/0x00090000000126e0-60.dat	family_quasar
behavioral1/files/0x00090000000126e0-62.dat	family_quasar
behavioral1/files/0x00090000000126e0-64.dat	family_quasar
behavioral1/files/0x00090000000126e0-69.dat	family_quasar
behavioral1/files/0x00090000000126e0-67.dat	family_quasar
behavioral1/files/0x00090000000126e0-71.dat	family_quasar
behavioral1/files/0x00090000000126e0-77.dat	family_quasar
behavioral1/memory/852-94-0x0000000000090000-0x00000000000DE000-memory.dmp	family_quasar
behavioral1/files/0x0007000000013473-104.dat	family_quasar
behavioral1/files/0x0007000000013473-107.dat	family_quasar
behavioral1/files/0x0007000000013473-108.dat	family_quasar
behavioral1/memory/844-109-0x0000000000F80000-0x0000000000FCE000-memory.dmp	family_quasar
behavioral1/files/0x0007000000013473-125.dat	family_quasar
behavioral1/memory/1444-128-0x0000000004810000-0x0000000004850000-memory.dmp	family_quasar
behavioral1/files/0x0007000000013473-130.dat	family_quasar
behavioral1/memory/1888-132-0x0000000004A00000-0x0000000004A40000-memory.dmp	family_quasar

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NULXGA.lnk	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Executes dropped EXE 8 IoCs

pid	Process
852	OHITWG.exe
1468	HMAGXL.exe
844	ccleaner.exe
1960	windowsdefender.exe
1444	ccleaner.exe
1440	wfmsc.exe
1888	ccleaner.exe
1528	wfmsc.exe

Loads dropped DLL 11 IoCs

pid	Process
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
852	OHITWG.exe
1468	HMAGXL.exe
1468	HMAGXL.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NULXGA = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\wfmsc.exe\""	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowsfirewall.msc = "\"C:\\Windows\\SysWOW64\\windowsfirewall\\ccleaner.exe\""	ccleaner.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00070000000133a3-126.dat	autoit_exe
behavioral1/files/0x00070000000133a3-127.dat	autoit_exe
behavioral1/files/0x00070000000133a3-131.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	ccleaner.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall	ccleaner.exe
File created	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	OHITWG.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	OHITWG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
296	schtasks.exe
1684	schtasks.exe
860	schtasks.exe
1704	schtasks.exe
1268	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1960	windowsdefender.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	OHITWG.exe
Token: SeDebugPrivilege	844	ccleaner.exe
Token: SeDebugPrivilege	1960	windowsdefender.exe
Token: SeDebugPrivilege	1960	windowsdefender.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 852	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	27
PID 2016 wrote to memory of 852	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	27
PID 2016 wrote to memory of 852	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	27
PID 2016 wrote to memory of 852	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	27
PID 2016 wrote to memory of 1468	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 2016 wrote to memory of 1468	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 2016 wrote to memory of 1468	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 2016 wrote to memory of 1468	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 2016 wrote to memory of 1080	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 2016 wrote to memory of 1080	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 2016 wrote to memory of 1080	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 2016 wrote to memory of 1080	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 2016 wrote to memory of 1576	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	31
PID 2016 wrote to memory of 1576	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	31
PID 2016 wrote to memory of 1576	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	31
PID 2016 wrote to memory of 1576	2016	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	31
PID 1080 wrote to memory of 296	1080	cmd.exe	32
PID 1080 wrote to memory of 296	1080	cmd.exe	32
PID 1080 wrote to memory of 296	1080	cmd.exe	32
PID 1080 wrote to memory of 296	1080	cmd.exe	32
PID 852 wrote to memory of 1684	852	OHITWG.exe	34
PID 852 wrote to memory of 1684	852	OHITWG.exe	34
PID 852 wrote to memory of 1684	852	OHITWG.exe	34
PID 852 wrote to memory of 1684	852	OHITWG.exe	34
PID 852 wrote to memory of 844	852	OHITWG.exe	36
PID 852 wrote to memory of 844	852	OHITWG.exe	36
PID 852 wrote to memory of 844	852	OHITWG.exe	36
PID 852 wrote to memory of 844	852	OHITWG.exe	36
PID 844 wrote to memory of 860	844	ccleaner.exe	37
PID 844 wrote to memory of 860	844	ccleaner.exe	37
PID 844 wrote to memory of 860	844	ccleaner.exe	37
PID 844 wrote to memory of 860	844	ccleaner.exe	37
PID 844 wrote to memory of 1704	844	ccleaner.exe	39
PID 844 wrote to memory of 1704	844	ccleaner.exe	39
PID 844 wrote to memory of 1704	844	ccleaner.exe	39
PID 844 wrote to memory of 1704	844	ccleaner.exe	39
PID 1468 wrote to memory of 1268	1468	HMAGXL.exe	41
PID 1468 wrote to memory of 1268	1468	HMAGXL.exe	41
PID 1468 wrote to memory of 1268	1468	HMAGXL.exe	41
PID 1468 wrote to memory of 1268	1468	HMAGXL.exe	41
PID 1468 wrote to memory of 1960	1468	HMAGXL.exe	43
PID 1468 wrote to memory of 1960	1468	HMAGXL.exe	43
PID 1468 wrote to memory of 1960	1468	HMAGXL.exe	43
PID 1468 wrote to memory of 1960	1468	HMAGXL.exe	43
PID 1364 wrote to memory of 1444	1364	taskeng.exe	45
PID 1364 wrote to memory of 1444	1364	taskeng.exe	45
PID 1364 wrote to memory of 1444	1364	taskeng.exe	45
PID 1364 wrote to memory of 1444	1364	taskeng.exe	45
PID 1364 wrote to memory of 1440	1364	taskeng.exe	46
PID 1364 wrote to memory of 1440	1364	taskeng.exe	46
PID 1364 wrote to memory of 1440	1364	taskeng.exe	46
PID 1364 wrote to memory of 1440	1364	taskeng.exe	46
PID 1364 wrote to memory of 1888	1364	taskeng.exe	47
PID 1364 wrote to memory of 1888	1364	taskeng.exe	47
PID 1364 wrote to memory of 1888	1364	taskeng.exe	47
PID 1364 wrote to memory of 1888	1364	taskeng.exe	47
PID 1364 wrote to memory of 1528	1364	taskeng.exe	48
PID 1364 wrote to memory of 1528	1364	taskeng.exe	48
PID 1364 wrote to memory of 1528	1364	taskeng.exe	48
PID 1364 wrote to memory of 1528	1364	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
"C:\Users\Admin\AppData\Local\Temp\78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\OHITWG.exe
  "C:\Users\Admin\AppData\Local\Temp\OHITWG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windowsfirewall.msc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\OHITWG.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1684
- - C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
    "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windowsfirewall.msc" /sc ONLOGON /tr "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:860
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe" /sc MINUTE /MO 1
      4⤵
      Creates scheduled task(s)
      PID:1704
- C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe
  "C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\windowsdefender.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1268
- - C:\Users\Admin\AppData\Roaming\windowsdefender.exe
    "C:\Users\Admin\AppData\Roaming\windowsdefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn NULXGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NULXGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:296
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\NULXGA.vbs
  2⤵
  PID:1576

C:\Windows\system32\taskeng.exe
taskeng.exe {9AB676A9-2F25-4CE8-8C65-A9B56CD2615D} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  2⤵
  - Executes dropped EXE
  PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NULXGA.vbs

Filesize
948B

MD5
2d94dc5e1b1e922deaf3119b1b1d8648

SHA1
c85c5d042162fb93d4203a11be584e8bac150f68

SHA256
bb9979103ac1014befba3c91e7447e718e39fc878175444273eebbc11f72d7ab

SHA512
02fff2db493a4252a4ab8a6f10dffcb888c13e909825c40a4eeab305ac2221f27551b5a7772661ff5b0efa3c74163f0e8b1f0b45d940cd2187c72b4d73725ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
memory/844-123-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/844-110-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/844-109-0x0000000000F80000-0x0000000000FCE000-memory.dmp

Filesize
312KB

Download
memory/852-101-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/852-94-0x0000000000090000-0x00000000000DE000-memory.dmp

Filesize
312KB

Download
memory/1444-128-0x0000000004810000-0x0000000004850000-memory.dmp

Filesize
256KB

Download
memory/1468-93-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/1888-132-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/1960-121-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/1960-122-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/1960-124-0x0000000001EB0000-0x0000000001ECE000-memory.dmp

Filesize
120KB

Download