Overview

overview

10

Static

static

1

51a36cbd55...bd.exe

windows7-x64

10

51a36cbd55...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2023 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe

  • Size

    764KB

  • MD5

    cac78b51b4ae8c359115955f5611f2a5

  • SHA1

    7f5f6600ba423235b87beb9d47239edc4bbbce48

  • SHA256

    51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd

  • SHA512

    85e176cde37e66728da1e9aeb641ef06ed67b41b95c1cbc4b8c8fcb2411e3632784f1a023acb07aac2363944433767fc044acb1986a83478d658db54f6177b91

  • SSDEEP

    12288:kIAAhJZaF75GF2ibA6Sm/HO5J9MdpNNR36UH+4ahldt8VU2EfPrHLEgkMnJ6PMWT:LAxb8AJovPR36UH+4C6u2E3TzwBT

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

1LLUV51XQKqq94X965Cc6uGPXeZEGSqCdV

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4pByu6u5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe
    "C:\Users\Admin\AppData\Local\Temp\51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KzSuNlCQoYKnH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCB2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1260
    • C:\Users\Admin\AppData\Local\Temp\51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe
      "C:\Users\Admin\AppData\Local\Temp\51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe"
      2⤵
        PID:984
      • C:\Users\Admin\AppData\Local\Temp\51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe
        "C:\Users\Admin\AppData\Local\Temp\51a36cbd556bcca8b3df6c7ef59e561a2e1a0672abe2033e87712958b07275bd.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1448

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpCCB2.tmp
      Filesize

      1KB

      MD5

      e035d15301e0d4bcdabe3758bf5d2d5f

      SHA1

      bdebd21b63ad077429510cb8d8dd6ef7e9bf25ff

      SHA256

      2187b68d9dc520f7165c2d040214a1598624edd3f162b7835abe8ba9885d0ea8

      SHA512

      673651bfcaf9cba9ff08f2650333515220cc66de4528752953506f81822a391808d15cddb6bb0e026708dd2119872b87d86bfc0b0a71de63a2c637127827a29a

      Download Submit

    • memory/1400-54-0x00000000011C0000-0x0000000001282000-memory.dmp

      Filesize

      776KB

      Download

    • memory/1400-55-0x0000000004DF0000-0x0000000004E30000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1400-56-0x0000000000420000-0x0000000000436000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1400-57-0x0000000004E30000-0x0000000004EB6000-memory.dmp

      Filesize

      536KB

      Download

    • memory/1400-58-0x0000000000E50000-0x0000000000E9A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1448-64-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1448-66-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1448-65-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1448-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1448-68-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1448-70-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1448-72-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1448-73-0x0000000001170000-0x00000000011B0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1448-74-0x0000000001170000-0x00000000011B0000-memory.dmp

      Filesize

      256KB

      Download