limerat | a77e709b70ec46539ce939b203e698593d36c1db045c878f86aeecdd37286830

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-05-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
Size

781KB
MD5

5ddfbddf74d9e09bf434940362019979
SHA1

595d69d9fc35b83cd8d6567e88ab6526582576e4
SHA256

e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c
SHA512

6fcf4f5c573986cf5ae881812bf692a4d76683d636e4a7211111fc37f11e7ac8998dc98177b3efbbbf36ffd61346fa0aa5853231ee8337816ab7585ee4b9b693
SSDEEP

12288:fClBbX5Ty5syL0CR8gotz/S31L/5C9RJl7ICfLcpy:faUxLPigotulL/I9RACfLco

Score

10^/10

limerat neshta persistence rat spyware stealer

Malware Config

Extracted

Family

limerat

Wallets

1LLUV51XQKqq94X965Cc6uGPXeZEGSqCdV

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/4pByu6u5
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Signatures

Detect Neshta payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000100000001031d-65.dat	family_neshta
behavioral1/memory/2024-141-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2024-142-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2024-143-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2024-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00080000000122e8-152.dat	family_neshta
behavioral1/files/0x00080000000122e8-153.dat	family_neshta
behavioral1/memory/432-158-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 3 IoCs

pid	Process
1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
432	svchost.com
1100	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
2024	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1860	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
Token: SeDebugPrivilege	1100	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
Token: SeDebugPrivilege	1100	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1752	2024	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	28
PID 2024 wrote to memory of 1752	2024	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	28
PID 2024 wrote to memory of 1752	2024	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	28
PID 2024 wrote to memory of 1752	2024	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	28
PID 1752 wrote to memory of 432	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	29
PID 1752 wrote to memory of 432	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	29
PID 1752 wrote to memory of 432	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	29
PID 1752 wrote to memory of 432	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	29
PID 432 wrote to memory of 1860	432	svchost.com	30
PID 432 wrote to memory of 1860	432	svchost.com	30
PID 432 wrote to memory of 1860	432	svchost.com	30
PID 432 wrote to memory of 1860	432	svchost.com	30
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32
PID 1752 wrote to memory of 1100	1752	e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe	32

C:\Users\Admin\AppData\Local\Temp\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
"C:\Users\Admin\AppData\Local\Temp\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UGrisULjKfvkUY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\System32\schtasks.exe /Create /TN Updates\UGrisULjKfvkUY /XML C:\Users\Admin\AppData\Local\Temp\tmpC340.tmp
      4⤵
      Creates scheduled task(s)
      PID:1860
- - C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Filesize
741KB

MD5
ad7fab95d903b025ebd5a36a8d7e06a6

SHA1
66faf0fe2a065f5c6c1701fe9c52e3f2ef677a51

SHA256
4617466868abd96c612df835281b02512cba8e21b72be5eaaf817be02996c897

SHA512
7c4294ff917e4e8507503b366c4cc7956a73cef38984d783888b07257246f09a9c5e6ceb8fd731c365ffa245f39299a6e366bacb5e7e8c6da03604992ca4406d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Filesize
741KB

MD5
ad7fab95d903b025ebd5a36a8d7e06a6

SHA1
66faf0fe2a065f5c6c1701fe9c52e3f2ef677a51

SHA256
4617466868abd96c612df835281b02512cba8e21b72be5eaaf817be02996c897

SHA512
7c4294ff917e4e8507503b366c4cc7956a73cef38984d783888b07257246f09a9c5e6ceb8fd731c365ffa245f39299a6e366bacb5e7e8c6da03604992ca4406d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Filesize
741KB

MD5
ad7fab95d903b025ebd5a36a8d7e06a6

SHA1
66faf0fe2a065f5c6c1701fe9c52e3f2ef677a51

SHA256
4617466868abd96c612df835281b02512cba8e21b72be5eaaf817be02996c897

SHA512
7c4294ff917e4e8507503b366c4cc7956a73cef38984d783888b07257246f09a9c5e6ceb8fd731c365ffa245f39299a6e366bacb5e7e8c6da03604992ca4406d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
00f2458f5175417bc850cf6ed4c955b1

SHA1
bb70d380094bba322689eee4184f915486ad5b02

SHA256
df17bd87aeb7104233cdcce2d7c16599236814700d3316a7a3616a895d7e8e1b

SHA512
6ba53cffa2743ea25910b9f04e5c5112b04587dd80dff6b11f2f2d7839c48af460917a8e40601f6e1b50ecbfd90af4c6b0b7144bb291d04ec09323893bdb77f5

Download Submit
C:\Users\Admin\AppData\Roaming\UGrisULjKfvkUY.exe

Filesize
741KB

MD5
ad7fab95d903b025ebd5a36a8d7e06a6

SHA1
66faf0fe2a065f5c6c1701fe9c52e3f2ef677a51

SHA256
4617466868abd96c612df835281b02512cba8e21b72be5eaaf817be02996c897

SHA512
7c4294ff917e4e8507503b366c4cc7956a73cef38984d783888b07257246f09a9c5e6ceb8fd731c365ffa245f39299a6e366bacb5e7e8c6da03604992ca4406d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2ed7e01ad36755baa317a553f61b0a43

SHA1
d9be3a93cb3b1bf996439470a6e6d11366e17e5e

SHA256
2f4cb455bf4ae6879fabf59726dcfd5673d5b975a327571447f625095bd54363

SHA512
3789f6f2d37c454f64d3b05e27b4d588d48a13c570749b16eade62ba9e62d1909a94e42ff1eff00cc644b4185b8f40ffb91e05b9e88426f146429ce29025998a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
2ed7e01ad36755baa317a553f61b0a43

SHA1
d9be3a93cb3b1bf996439470a6e6d11366e17e5e

SHA256
2f4cb455bf4ae6879fabf59726dcfd5673d5b975a327571447f625095bd54363

SHA512
3789f6f2d37c454f64d3b05e27b4d588d48a13c570749b16eade62ba9e62d1909a94e42ff1eff00cc644b4185b8f40ffb91e05b9e88426f146429ce29025998a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Filesize
741KB

MD5
ad7fab95d903b025ebd5a36a8d7e06a6

SHA1
66faf0fe2a065f5c6c1701fe9c52e3f2ef677a51

SHA256
4617466868abd96c612df835281b02512cba8e21b72be5eaaf817be02996c897

SHA512
7c4294ff917e4e8507503b366c4cc7956a73cef38984d783888b07257246f09a9c5e6ceb8fd731c365ffa245f39299a6e366bacb5e7e8c6da03604992ca4406d

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\e615a06c4539fc5fabedd46658fdc2ff534d0173f9043162f3809ef3002f0a2c.exe

Filesize
741KB

MD5
ad7fab95d903b025ebd5a36a8d7e06a6

SHA1
66faf0fe2a065f5c6c1701fe9c52e3f2ef677a51

SHA256
4617466868abd96c612df835281b02512cba8e21b72be5eaaf817be02996c897

SHA512
7c4294ff917e4e8507503b366c4cc7956a73cef38984d783888b07257246f09a9c5e6ceb8fd731c365ffa245f39299a6e366bacb5e7e8c6da03604992ca4406d

Download Submit
memory/432-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1100-162-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1100-163-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1100-172-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1100-171-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1100-170-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1100-168-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1100-165-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1100-164-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1100-161-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1752-127-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1752-147-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/1752-140-0x0000000009DD0000-0x0000000009DE6000-memory.dmp

Filesize
88KB

Download
memory/1752-66-0x0000000000ED0000-0x0000000000F8E000-memory.dmp

Filesize
760KB

Download
memory/1752-146-0x0000000004F10000-0x0000000004F6A000-memory.dmp

Filesize
360KB

Download
memory/2024-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2024-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2024-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2024-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download