Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2023, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
199ecae9fa74c42c5dc46548596bc8bb.exe
Resource
win7-20230220-en
General
-
Target
199ecae9fa74c42c5dc46548596bc8bb.exe
-
Size
99KB
-
MD5
199ecae9fa74c42c5dc46548596bc8bb
-
SHA1
a62a99b8ade6b1ce411aaa7a8d3b7c34ce6e285a
-
SHA256
2cbf63527a0c56cf1cd265f78c2886af195b7635c8ff02c0bb02fc20f2cc1c8d
-
SHA512
3d522d67e624be389c0b8be227c853a7127075fa2b2e38d2457c9d4a6a287122fa9eb466497f3ef6d3bd5f7430654d7b4e4abe4bbcc244e587027f3645d1b924
-
SSDEEP
1536:OF4WWMJ7J+GMrFmCxuNCTwChaKExEbbaaYoOgGK:84W/Wbth5bbTmgGK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 199ecae9fa74c42c5dc46548596bc8bb.exe -
Executes dropped EXE 1 IoCs
pid Process 852 JavaUpdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe 852 JavaUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 852 JavaUpdate.exe Token: SeDebugPrivilege 852 JavaUpdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2060 1916 199ecae9fa74c42c5dc46548596bc8bb.exe 90 PID 1916 wrote to memory of 2060 1916 199ecae9fa74c42c5dc46548596bc8bb.exe 90 PID 1916 wrote to memory of 2060 1916 199ecae9fa74c42c5dc46548596bc8bb.exe 90 PID 1916 wrote to memory of 852 1916 199ecae9fa74c42c5dc46548596bc8bb.exe 92 PID 1916 wrote to memory of 852 1916 199ecae9fa74c42c5dc46548596bc8bb.exe 92 PID 1916 wrote to memory of 852 1916 199ecae9fa74c42c5dc46548596bc8bb.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\199ecae9fa74c42c5dc46548596bc8bb.exe"C:\Users\Admin\AppData\Local\Temp\199ecae9fa74c42c5dc46548596bc8bb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\JavaUpdate\JavaUpdate.exe'"2⤵
- Creates scheduled task(s)
PID:2060
-
-
C:\Users\Admin\AppData\Roaming\JavaUpdate\JavaUpdate.exe"C:\Users\Admin\AppData\Roaming\JavaUpdate\JavaUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5199ecae9fa74c42c5dc46548596bc8bb
SHA1a62a99b8ade6b1ce411aaa7a8d3b7c34ce6e285a
SHA2562cbf63527a0c56cf1cd265f78c2886af195b7635c8ff02c0bb02fc20f2cc1c8d
SHA5123d522d67e624be389c0b8be227c853a7127075fa2b2e38d2457c9d4a6a287122fa9eb466497f3ef6d3bd5f7430654d7b4e4abe4bbcc244e587027f3645d1b924
-
Filesize
99KB
MD5199ecae9fa74c42c5dc46548596bc8bb
SHA1a62a99b8ade6b1ce411aaa7a8d3b7c34ce6e285a
SHA2562cbf63527a0c56cf1cd265f78c2886af195b7635c8ff02c0bb02fc20f2cc1c8d
SHA5123d522d67e624be389c0b8be227c853a7127075fa2b2e38d2457c9d4a6a287122fa9eb466497f3ef6d3bd5f7430654d7b4e4abe4bbcc244e587027f3645d1b924
-
Filesize
99KB
MD5199ecae9fa74c42c5dc46548596bc8bb
SHA1a62a99b8ade6b1ce411aaa7a8d3b7c34ce6e285a
SHA2562cbf63527a0c56cf1cd265f78c2886af195b7635c8ff02c0bb02fc20f2cc1c8d
SHA5123d522d67e624be389c0b8be227c853a7127075fa2b2e38d2457c9d4a6a287122fa9eb466497f3ef6d3bd5f7430654d7b4e4abe4bbcc244e587027f3645d1b924