limerat | 50e243b9f1481a581e8e8c2a5101f3ef43253adb873bb7c6ca4eb1ce3c7e9d61

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Size

12.9MB
MD5

a364b35d4dbdcf328367df843a6286c1
SHA1

31a54c5118109afa7d5c7c465bb4d3b25c947284
SHA256

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
SHA512

e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826
SSDEEP

196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn

Score

10^/10

limerat quasar storage persistence rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

Slbw7KtgA7WecQEqcR

Attributes

encryption_key
BTg0dEybEXwn6MM90CP2
install_name
ccleaner.exe
log_directory
windowfirewalls
reconnect_delay
1
startup_key
windowsfirewall.msc
subdirectory
windowsfirewall

Extracted

Family

limerat

Wallets

13WHQ6XEobZYNAjHZPJHkDuzMS8TpgkRqm

Attributes

aes_key
key
antivm
true
c2_url
https://pastebin.com/raw/nW4J6TiP
delay
3
download_payload
false
install
true
install_name
windowsdefender.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

quasar

Attributes

reconnect_delay
1

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 16 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122fe-60.dat	family_quasar
behavioral1/files/0x000b0000000122fe-62.dat	family_quasar
behavioral1/files/0x000b0000000122fe-69.dat	family_quasar
behavioral1/files/0x000b0000000122fe-67.dat	family_quasar
behavioral1/files/0x000b0000000122fe-64.dat	family_quasar
behavioral1/files/0x000b0000000122fe-71.dat	family_quasar
behavioral1/files/0x000b0000000122fe-79.dat	family_quasar
behavioral1/memory/604-94-0x00000000008B0000-0x00000000008FE000-memory.dmp	family_quasar
behavioral1/memory/604-101-0x0000000002330000-0x0000000002370000-memory.dmp	family_quasar
behavioral1/files/0x0007000000012693-104.dat	family_quasar
behavioral1/files/0x0007000000012693-107.dat	family_quasar
behavioral1/files/0x0007000000012693-108.dat	family_quasar
behavioral1/memory/1376-109-0x0000000000C20000-0x0000000000C6E000-memory.dmp	family_quasar
behavioral1/files/0x0007000000012693-123.dat	family_quasar
behavioral1/files/0x0007000000012693-130.dat	family_quasar
behavioral1/files/0x0007000000012693-133.dat	family_quasar

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NULXGA.lnk	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Executes dropped EXE 10 IoCs

pid	Process
604	OHITWG.exe
1116	HMAGXL.exe
1376	ccleaner.exe
1232	windowsdefender.exe
1668	ccleaner.exe
1800	wfmsc.exe
1316	ccleaner.exe
796	wfmsc.exe
784	ccleaner.exe
936	wfmsc.exe

Loads dropped DLL 11 IoCs

pid	Process
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
604	OHITWG.exe
1116	HMAGXL.exe
1116	HMAGXL.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NULXGA = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\wfmsc.exe\""	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowsfirewall.msc = "\"C:\\Windows\\SysWOW64\\windowsfirewall\\ccleaner.exe\""	ccleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000012321-122.dat	autoit_exe
behavioral1/files/0x0008000000012321-124.dat	autoit_exe
behavioral1/files/0x0008000000012321-131.dat	autoit_exe
behavioral1/files/0x0008000000012321-134.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	OHITWG.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	OHITWG.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	ccleaner.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall	ccleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1688	schtasks.exe
1508	schtasks.exe
468	schtasks.exe
1616	schtasks.exe
896	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	OHITWG.exe
Token: SeDebugPrivilege	1376	ccleaner.exe
Token: SeDebugPrivilege	1232	windowsdefender.exe
Token: SeDebugPrivilege	1232	windowsdefender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 604	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 1740 wrote to memory of 604	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 1740 wrote to memory of 604	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 1740 wrote to memory of 604	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	28
PID 1740 wrote to memory of 1116	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 1740 wrote to memory of 1116	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 1740 wrote to memory of 1116	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 1740 wrote to memory of 1116	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	29
PID 1740 wrote to memory of 740	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	30
PID 1740 wrote to memory of 740	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	30
PID 1740 wrote to memory of 740	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	30
PID 1740 wrote to memory of 740	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	30
PID 1740 wrote to memory of 584	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	32
PID 1740 wrote to memory of 584	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	32
PID 1740 wrote to memory of 584	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	32
PID 1740 wrote to memory of 584	1740	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	32
PID 740 wrote to memory of 896	740	cmd.exe	33
PID 740 wrote to memory of 896	740	cmd.exe	33
PID 740 wrote to memory of 896	740	cmd.exe	33
PID 740 wrote to memory of 896	740	cmd.exe	33
PID 604 wrote to memory of 1688	604	OHITWG.exe	35
PID 604 wrote to memory of 1688	604	OHITWG.exe	35
PID 604 wrote to memory of 1688	604	OHITWG.exe	35
PID 604 wrote to memory of 1688	604	OHITWG.exe	35
PID 604 wrote to memory of 1376	604	OHITWG.exe	37
PID 604 wrote to memory of 1376	604	OHITWG.exe	37
PID 604 wrote to memory of 1376	604	OHITWG.exe	37
PID 604 wrote to memory of 1376	604	OHITWG.exe	37
PID 1376 wrote to memory of 1508	1376	ccleaner.exe	38
PID 1376 wrote to memory of 1508	1376	ccleaner.exe	38
PID 1376 wrote to memory of 1508	1376	ccleaner.exe	38
PID 1376 wrote to memory of 1508	1376	ccleaner.exe	38
PID 1376 wrote to memory of 468	1376	ccleaner.exe	40
PID 1376 wrote to memory of 468	1376	ccleaner.exe	40
PID 1376 wrote to memory of 468	1376	ccleaner.exe	40
PID 1376 wrote to memory of 468	1376	ccleaner.exe	40
PID 1116 wrote to memory of 1616	1116	HMAGXL.exe	42
PID 1116 wrote to memory of 1616	1116	HMAGXL.exe	42
PID 1116 wrote to memory of 1616	1116	HMAGXL.exe	42
PID 1116 wrote to memory of 1616	1116	HMAGXL.exe	42
PID 1116 wrote to memory of 1232	1116	HMAGXL.exe	44
PID 1116 wrote to memory of 1232	1116	HMAGXL.exe	44
PID 1116 wrote to memory of 1232	1116	HMAGXL.exe	44
PID 1116 wrote to memory of 1232	1116	HMAGXL.exe	44
PID 828 wrote to memory of 1668	828	taskeng.exe	46
PID 828 wrote to memory of 1668	828	taskeng.exe	46
PID 828 wrote to memory of 1668	828	taskeng.exe	46
PID 828 wrote to memory of 1668	828	taskeng.exe	46
PID 828 wrote to memory of 1800	828	taskeng.exe	47
PID 828 wrote to memory of 1800	828	taskeng.exe	47
PID 828 wrote to memory of 1800	828	taskeng.exe	47
PID 828 wrote to memory of 1800	828	taskeng.exe	47
PID 828 wrote to memory of 1316	828	taskeng.exe	48
PID 828 wrote to memory of 1316	828	taskeng.exe	48
PID 828 wrote to memory of 1316	828	taskeng.exe	48
PID 828 wrote to memory of 1316	828	taskeng.exe	48
PID 828 wrote to memory of 796	828	taskeng.exe	49
PID 828 wrote to memory of 796	828	taskeng.exe	49
PID 828 wrote to memory of 796	828	taskeng.exe	49
PID 828 wrote to memory of 796	828	taskeng.exe	49
PID 828 wrote to memory of 784	828	taskeng.exe	50
PID 828 wrote to memory of 784	828	taskeng.exe	50
PID 828 wrote to memory of 784	828	taskeng.exe	50
PID 828 wrote to memory of 784	828	taskeng.exe	50

C:\Users\Admin\AppData\Local\Temp\78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
"C:\Users\Admin\AppData\Local\Temp\78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\OHITWG.exe
  "C:\Users\Admin\AppData\Local\Temp\OHITWG.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windowsfirewall.msc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\OHITWG.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1688
- - C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
    "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windowsfirewall.msc" /sc ONLOGON /tr "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1508
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe" /sc MINUTE /MO 1
      4⤵
      Creates scheduled task(s)
      PID:468
- C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe
  "C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\windowsdefender.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1616
- - C:\Users\Admin\AppData\Roaming\windowsdefender.exe
    "C:\Users\Admin\AppData\Roaming\windowsdefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn NULXGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NULXGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:896
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\NULXGA.vbs
  2⤵
  PID:584

C:\Windows\system32\taskeng.exe
taskeng.exe {CE28FAFE-AA13-4D87-9396-7436FABDF0B2} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
  2⤵
  - Executes dropped EXE
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NULXGA.vbs

Filesize
948B

MD5
2d94dc5e1b1e922deaf3119b1b1d8648

SHA1
c85c5d042162fb93d4203a11be584e8bac150f68

SHA256
bb9979103ac1014befba3c91e7447e718e39fc878175444273eebbc11f72d7ab

SHA512
02fff2db493a4252a4ab8a6f10dffcb888c13e909825c40a4eeab305ac2221f27551b5a7772661ff5b0efa3c74163f0e8b1f0b45d940cd2187c72b4d73725ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
memory/604-101-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/604-94-0x00000000008B0000-0x00000000008FE000-memory.dmp

Filesize
312KB

Download
memory/1116-93-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/1232-126-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1232-128-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1232-121-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/1316-132-0x00000000045D0000-0x0000000004610000-memory.dmp

Filesize
256KB

Download
memory/1376-109-0x0000000000C20000-0x0000000000C6E000-memory.dmp

Filesize
312KB

Download
memory/1376-127-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1376-110-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1668-125-0x00000000046F0000-0x0000000004730000-memory.dmp

Filesize
256KB

Download