limerat | 50e243b9f1481a581e8e8c2a5101f3ef43253adb873bb7c6ca4eb1ce3c7e9d61

Analysis

max time kernel
49s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Size

12.9MB
MD5

a364b35d4dbdcf328367df843a6286c1
SHA1

31a54c5118109afa7d5c7c465bb4d3b25c947284
SHA256

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
SHA512

e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826
SSDEEP

196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn

Score

10^/10

limerat quasar storage persistence rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

Slbw7KtgA7WecQEqcR

Attributes

encryption_key
BTg0dEybEXwn6MM90CP2
install_name
ccleaner.exe
log_directory
windowfirewalls
reconnect_delay
1
startup_key
windowsfirewall.msc
subdirectory
windowsfirewall

Extracted

Family

limerat

Wallets

13WHQ6XEobZYNAjHZPJHkDuzMS8TpgkRqm

Attributes

aes_key
key
antivm
true
c2_url
https://pastebin.com/raw/nW4J6TiP
delay
3
download_payload
false
install
true
install_name
windowsdefender.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000300000000073d-140.dat	family_quasar
behavioral2/files/0x000300000000073d-146.dat	family_quasar
behavioral2/files/0x000300000000073d-160.dat	family_quasar
behavioral2/memory/1972-162-0x0000000000060000-0x00000000000AE000-memory.dmp	family_quasar
behavioral2/files/0x000100000002311e-181.dat	family_quasar
behavioral2/files/0x000100000002311e-179.dat	family_quasar
behavioral2/memory/4404-195-0x0000000004F10000-0x0000000004F20000-memory.dmp	family_quasar
behavioral2/files/0x000100000002311e-200.dat	family_quasar
behavioral2/files/0x000100000002311e-202.dat	family_quasar

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exeHMAGXL.execcleaner.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	HMAGXL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ccleaner.exe

Drops startup file 1 IoCs

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NULXGA.lnk	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Executes dropped EXE 5 IoCs

Processes:

OHITWG.exeHMAGXL.execcleaner.exewindowsdefender.exewfmsc.exe

pid	Process
1972	OHITWG.exe
4828	HMAGXL.exe
4404	ccleaner.exe
3400	windowsdefender.exe
548	wfmsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exeOHITWG.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NULXGA = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\wfmsc.exe\""	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsfirewall.msc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OHITWG.exe\""	OHITWG.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	ip-api.com

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/files/0x0002000000023118-192.dat	autoit_exe
behavioral2/files/0x0002000000023118-193.dat	autoit_exe
behavioral2/files/0x0002000000023118-199.dat	autoit_exe
behavioral2/files/0x0002000000023118-203.dat	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

OHITWG.execcleaner.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	OHITWG.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	OHITWG.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe	ccleaner.exe
File opened for modification	C:\Windows\SysWOW64\windowsfirewall	ccleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3648	schtasks.exe
1892	schtasks.exe
4496	schtasks.exe
3396	schtasks.exe
1280	schtasks.exe

NTFS ADS 1 IoCs

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

pid	Process
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

pid	Process
4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

OHITWG.execcleaner.exewindowsdefender.exe

description	pid	Process
Token: SeDebugPrivilege	1972	OHITWG.exe
Token: SeDebugPrivilege	4404	ccleaner.exe
Token: SeDebugPrivilege	3400	windowsdefender.exe
Token: SeDebugPrivilege	3400	windowsdefender.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.execmd.exeOHITWG.exeHMAGXL.execcleaner.exe

description	pid	Process	procid_target
PID 4608 wrote to memory of 1972	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	87
PID 4608 wrote to memory of 1972	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	87
PID 4608 wrote to memory of 1972	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	87
PID 4608 wrote to memory of 4828	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	89
PID 4608 wrote to memory of 4828	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	89
PID 4608 wrote to memory of 4828	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	89
PID 4608 wrote to memory of 1572	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	90
PID 4608 wrote to memory of 1572	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	90
PID 4608 wrote to memory of 1572	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	90
PID 4608 wrote to memory of 2396	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	91
PID 4608 wrote to memory of 2396	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	91
PID 4608 wrote to memory of 2396	4608	78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe	91
PID 1572 wrote to memory of 3648	1572	cmd.exe	93
PID 1572 wrote to memory of 3648	1572	cmd.exe	93
PID 1572 wrote to memory of 3648	1572	cmd.exe	93
PID 1972 wrote to memory of 1892	1972	OHITWG.exe	94
PID 1972 wrote to memory of 1892	1972	OHITWG.exe	94
PID 1972 wrote to memory of 1892	1972	OHITWG.exe	94
PID 1972 wrote to memory of 4404	1972	OHITWG.exe	96
PID 1972 wrote to memory of 4404	1972	OHITWG.exe	96
PID 1972 wrote to memory of 4404	1972	OHITWG.exe	96
PID 4828 wrote to memory of 4496	4828	HMAGXL.exe	98
PID 4828 wrote to memory of 4496	4828	HMAGXL.exe	98
PID 4828 wrote to memory of 4496	4828	HMAGXL.exe	98
PID 4828 wrote to memory of 3400	4828	HMAGXL.exe	100
PID 4828 wrote to memory of 3400	4828	HMAGXL.exe	100
PID 4828 wrote to memory of 3400	4828	HMAGXL.exe	100
PID 4404 wrote to memory of 3396	4404	ccleaner.exe	101
PID 4404 wrote to memory of 3396	4404	ccleaner.exe	101
PID 4404 wrote to memory of 3396	4404	ccleaner.exe	101
PID 4404 wrote to memory of 1280	4404	ccleaner.exe	103
PID 4404 wrote to memory of 1280	4404	ccleaner.exe	103
PID 4404 wrote to memory of 1280	4404	ccleaner.exe	103

C:\Users\Admin\AppData\Local\Temp\78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
"C:\Users\Admin\AppData\Local\Temp\78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\OHITWG.exe
  "C:\Users\Admin\AppData\Local\Temp\OHITWG.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "windowsfirewall.msc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\OHITWG.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1892
- - C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
    "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windowsfirewall.msc" /sc ONLOGON /tr "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3396
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe" /sc MINUTE /MO 1
      4⤵
      Creates scheduled task(s)
      PID:1280
- C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe
  "C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\windowsdefender.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:4496
- - C:\Users\Admin\AppData\Roaming\windowsdefender.exe
    "C:\Users\Admin\AppData\Roaming\windowsdefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn NULXGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NULXGA.exe /tr C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:3648
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\NULXGA.vbs
  2⤵
  PID:2396

C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
1⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
1⤵
PID:4476

C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
1⤵
PID:2516

C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe
1⤵
PID:1200

C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ccleaner.exe.log

Filesize
701B

MD5
5de8527438c860bfa3140dc420a03e52

SHA1
235af682986b3292f20d8d71a8671353f5d6e16d

SHA256
d9d92cd6e7a4507912965138b8d1eabb3f188f4dfcb61115ee99dc2c0fd43a92

SHA512
77c3a774a2235c55ad520f1bf0c71fa3d3f0e7cf478a78e0d4dd6d253ee12a9859acc9ee822664467387788a2655a18373c8fcf08ea0d001549d3d4391b00bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMAGXL.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NULXGA.vbs

Filesize
948B

MD5
2d94dc5e1b1e922deaf3119b1b1d8648

SHA1
c85c5d042162fb93d4203a11be584e8bac150f68

SHA256
bb9979103ac1014befba3c91e7447e718e39fc878175444273eebbc11f72d7ab

SHA512
02fff2db493a4252a4ab8a6f10dffcb888c13e909825c40a4eeab305ac2221f27551b5a7772661ff5b0efa3c74163f0e8b1f0b45d940cd2187c72b4d73725ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHITWG.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\wfmsc.exe

Filesize
12.9MB

MD5
a364b35d4dbdcf328367df843a6286c1

SHA1
31a54c5118109afa7d5c7c465bb4d3b25c947284

SHA256
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66

SHA512
e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826

Download Submit
C:\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Users\Admin\AppData\Roaming\windowsdefender.exe

Filesize
28KB

MD5
7cf120a9dad95a45232d7d6f3f87b067

SHA1
55b96683b6b78888e1d0463fed961b30c014dde7

SHA256
9449691939856bd53ccb28071c5fec85da01ba6e113e9088f545857171b5f7a3

SHA512
22eaa765f6ac881b3a47a5e614f1ef15abdb29f1aa8891fd90c05817faeb3a14a32c8661bae1760cace254784ff6b8079002ed9d06ff062390df976d15565efd

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
C:\Windows\SysWOW64\windowsfirewall\ccleaner.exe

Filesize
288KB

MD5
473dada2898cd0c3f7bb193e784211a4

SHA1
f9d24e4d578a240df8cb7791145f2a65cdc2a5b8

SHA256
827530d82fa9c5ad081f6ea918a136fc9c13d57dfdfc49f14947a68083cb6fce

SHA512
3c8a6fb530e763f7d192f9631932fe884bada3d54ea089fc9e36280fc7731d8544c1fd8d81a8d546849ea163a6e14db2e37fc6aa4b24c6eb17c161bfbb36dbb6

Download Submit
memory/1200-205-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1972-168-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/1972-162-0x0000000000060000-0x00000000000AE000-memory.dmp

Filesize
312KB

Download
memory/1972-170-0x0000000004B20000-0x0000000004BB2000-memory.dmp

Filesize
584KB

Download
memory/1972-174-0x0000000005EC0000-0x0000000005EFC000-memory.dmp

Filesize
240KB

Download
memory/1972-173-0x0000000005AA0000-0x0000000005AB2000-memory.dmp

Filesize
72KB

Download
memory/1972-171-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/1972-172-0x0000000004E30000-0x0000000004E96000-memory.dmp

Filesize
408KB

Download
memory/3400-194-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3400-196-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4404-182-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4404-195-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4404-197-0x00000000066F0000-0x00000000066FA000-memory.dmp

Filesize
40KB

Download
memory/4828-165-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/4828-175-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4828-161-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download