73f870cbbca75533109b51c060272741a49bfbea35fef35c55352c855637967d

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e0dc5f549ae8c546b427bb568b5439f.exe
Size

368KB
MD5

0e0dc5f549ae8c546b427bb568b5439f
SHA1

c57197b3b22a61c3d461a31b53e94cdc5f515d46
SHA256

73f870cbbca75533109b51c060272741a49bfbea35fef35c55352c855637967d
SHA512

e1add08dc90241d50fcf7c2fce65f3005ca4cf64acabd1cbcb88afa73296168af49e9145308513dd385cfbc559b730c59cc262260e2ade79672bd7f9f63a9d5c
SSDEEP

1536:hRPwMPGmHmkiw+667MIBf28zPJtC6IoD/QWgxektFAo11S:DPwMPzHmLf2RxIf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	limih.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	limih.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	0e0dc5f549ae8c546b427bb568b5439f.exe
2240	0e0dc5f549ae8c546b427bb568b5439f.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /y"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /L"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /V"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /l"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /c"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /U"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /G"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /w"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /X"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /D"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /t"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /s"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /x"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /z"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /d"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /f"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /k"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /Y"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /W"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /M"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /O"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /v"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /I"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /m"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /A"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /j"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /g"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /S"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /P"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /q"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /T"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /a"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /r"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /u"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /o"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /C"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /Q"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /i"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /n"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /K"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /e"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /N"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /F"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /E"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /b"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /R"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /J"	limih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\limih = "C:\\Users\\Admin\\limih.exe /p"	limih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe
3028	limih.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	0e0dc5f549ae8c546b427bb568b5439f.exe
3028	limih.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3028	2240	0e0dc5f549ae8c546b427bb568b5439f.exe	28
PID 2240 wrote to memory of 3028	2240	0e0dc5f549ae8c546b427bb568b5439f.exe	28
PID 2240 wrote to memory of 3028	2240	0e0dc5f549ae8c546b427bb568b5439f.exe	28
PID 2240 wrote to memory of 3028	2240	0e0dc5f549ae8c546b427bb568b5439f.exe	28
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1
PID 3028 wrote to memory of 2240	3028	limih.exe	1

C:\Users\Admin\AppData\Local\Temp\0e0dc5f549ae8c546b427bb568b5439f.exe
"C:\Users\Admin\AppData\Local\Temp\0e0dc5f549ae8c546b427bb568b5439f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\limih.exe
  "C:\Users\Admin\limih.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\limih.exe

Filesize
129KB

MD5
ba07ae2736e1f9356102f6942202bf19

SHA1
1ce2494853fdcbd72f379e24308fd5466740405c

SHA256
3d5d8543def4d9381cf26dc796165a98ec93820986cec004248eb4d7af2e9b09

SHA512
1ba581f984cd9fb529c9008ae7362d12f0333920d59f7a767c138f58c0dbc1d5f34ba3d1667f0bb2496560c94ebd09686fcfa8bd6bc0fb3c04f31e13331a8661

Download Submit
\Users\Admin\limih.exe

Filesize
368KB

MD5
007bbf16af9cfc9cbab4985b0945c56c

SHA1
8af62a23bf83bd9d66fed2b6d013839e6841ab65

SHA256
96bd28081ff2b73cf7feaf7f5bbb700d3e2a23f74aba2061625f5b99979f290a

SHA512
a013fa09f0a4ea659d74567cf04d192b14063d071b70c3a3005adad0d7a3beadcfdd1dfba0dc6b72e1a14751624db475a39d649f14490d472147701b9bbb6fe2

Download Submit
\Users\Admin\limih.exe

Filesize
256KB

MD5
16ed4bf9b0aebd47e597d4da15b51119

SHA1
ceaf3e67c332722238d6e9c3c67d514c4efd1ad8

SHA256
837868c0e01617eda4dbde164eb2ecf8587ac405578d2685b0dfd7f7568183ee

SHA512
7eb52ef960eb257969b5e8d89f885e1e7ee986f006cee7d2a691f2ee226c966e2aa0516bfc75e70442949403e8580bda0a9890c7df0aeda5cec6ecc92927c6ef

Download Submit