729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5

Analysis

max time kernel
0s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a51bb3d03a1cebf76e63d8bdb3af04.exe
Size

684KB
MD5

93a51bb3d03a1cebf76e63d8bdb3af04
SHA1

0868306dcb3a1f21fdda94e7125ad3aa2ad2dfa9
SHA256

729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5
SHA512

17c69bdbfbe71e80dbca83b967b6d9d77a4f63e0ea46b4c418ed7b3f318cda4603c8245b06a4d67a897baf8d8c2899bfb5da2932b0aea52d8c217752eeccc830
SSDEEP

12288:0JOpPEhZTl8pBRxhHLMmyLgIO3GsaMJcR/Vn+R9KVYszf:0JyPEhZB8pBlHomy0IO3GsId+R9KV1f

Score

10^/10

agilenet

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x00090000000231a6-35.dat	disable_win_def

Loads dropped DLL 1 IoCs

pid	Process
1208	93a51bb3d03a1cebf76e63d8bdb3af04.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x00060000000231eb-27.dat	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5904	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\93a51bb3d03a1cebf76e63d8bdb3af04.exe
"C:\Users\Admin\AppData\Local\Temp\93a51bb3d03a1cebf76e63d8bdb3af04.exe"
1⤵
- Loads dropped DLL
PID:1208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\script.vbs"
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\SysWOW64\WScript.exe" "C:\ProgramData\script.vbs" /elevate
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      PID:4300
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      PID:4344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      PID:3816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      PID:4956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      PID:3472
- C:\ProgramData\temp.exe
  "C:\ProgramData\temp.exe"
  2⤵
  PID:2868
- C:\ProgramData\.exe
  "C:\ProgramData\.exe"
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:5904
- - C:\Users\Admin\System32\Window Security Notification.exe
    "C:\Users\Admin\System32\Window Security Notification.exe"
    3⤵
    PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.exe

Filesize
313KB

MD5
bfe968b719b9567e0914105d2f5f80a4

SHA1
de78dee76dec96235312fa82ebebc51f114483c9

SHA256
a96147860e86e8f6a898e7bf77c05596790595c10a63271a2dce89d56fc49dac

SHA512
87040e0beacfdbce3a401e09bb912e67544f7f0cd8de6bacbf710fddd6ac5e143dca08049de006d844b8b50131de98f56faf953328f40aaedfa2675186d5d5d4

Download Submit
C:\ProgramData\script.vbs

Filesize
1KB

MD5
dd82baf02caac1567f2277edca89a912

SHA1
36f5d8c2a67f31768b1116bb87f77b049ffd3f63

SHA256
038802b33f5e7179ad59105099681003c68fdb9b3c757540e737564c1b460533

SHA512
6825e10fbb3fec3619cd0b2d36f6490f28301fd723fa9b2b52403aa3d8c2e39b7bb04eedc937c5fdf76f511e9e75e533ef6cfce07d398fe13b52896c3e343554

Download Submit
C:\ProgramData\temp.exe

Filesize
10KB

MD5
c26e4cd9bc956f25ec249bcb75900ab2

SHA1
f2a80a50639ec0c5a438c867b37ca03df286017c

SHA256
80b261cf3b2206cd8786afd2b401b83dab0b97bf13d128d846910b61fde01876

SHA512
71b9efcab7aae3da89e0694f29879ac786c465a9510d8b43f0ce5f629fdda3ab6be899992b7d6e94ad6ba7558cb8b4e6f29f572b188534f68e33a792e5308387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
05467f8f329ed9735c877bbd80cefaa3

SHA1
3904bd2aa40457c990a05424c0ef864e3c5e598c

SHA256
01ee55acc4a346ef75df54f17fd2d02df36a4941deaec5cd376027519e79b83e

SHA512
05f956f588677969f02f0cee89293848994a808e4dc5a050e8897af4f95a239b7df2b44b3b0a627184a052eb6baaf3ad45dff5a8097a948a14fd1fae618c471b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
346621718fd27b71b40e2727147bfa54

SHA1
19b97ca928f5d54d4cb714b080501c4612b8037e

SHA256
c813e2b4e81a22989ef1ac5fbf516b33ccad3bffea810daff1f1a7016d793ee1

SHA512
2eb4af92fa21aa2fd2beb8b7df7629d69b687edb34a2316975478eaaf88fa01c633319e9207f6975be3c30711fcce87eef0475e8bb4fe7edaeea16654d7f26a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1d14cee149a78d89645f9e66a63a8164

SHA1
7e6e73ae41cb3a58e5bf2d1db358ddf64e589c3f

SHA256
bd01ad39e3607d401f40416061b728976b947d37ec844ef801478a27e995882f

SHA512
49bc0b32e5d4f31cabd535effd86784d6744f8b44457fb936557694b82b1c94a23c278069090617601f1491f62eaa9b47931e3216eef7f4029aacb2e3dec6ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
afaee604776a31fd1c7d18ce1720a494

SHA1
74056a89db047dd3dd5f7adf522e29488bb5dc27

SHA256
eaf2b7027048ec15b0ede9019ca49350f72ef33c09df1518b8e2bf5247d9df3a

SHA512
7748e425d9a03311591150e21b8f69069272c69c1703f75797b90bbdaf182c9f45d44b137ddfcf3238dc6729269001094e1a5918d5f65374b048c24397ef46f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
94363fcd38b1f787b77aa323c47c7522

SHA1
e6425466449e3cb50d40fb3f1d3b77c3b0e6f5ca

SHA256
9b4b52bdfaec59df059d316f1b88c9783760b129d4128ccee54daa9c8b6f3f6b

SHA512
2ce131cd5760056b3ddd9dde6f5c4201445310bcab5198a0928380ac444154b7e40d7a85a2bac827f3c1e15d3e6dff95cbeada921ee38e6324fcab2c2b845cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1094047e14f5738a379d5c80f0452496

SHA1
ac2b1a3f2a0b05de97f20ab2645a1b1416bcb62f

SHA256
cc017aaa7136c8a75cfab753677cfee24b1b157f17b4de85c2d80c85ea5dc61a

SHA512
71e0d46f91adf5a26cbda6e450858af865b9df49ef4d445a69c9e514b822d72d8ee0dea6669c5ab90a123557b3c2f5477a0a3a7554919ff7db47305d24dc992e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f120592-7e9e-4f67-b0b5-9b687c027c6d\AgileDotNetRT.dll

Filesize
92KB

MD5
110a94e7eee4fa670f9086a731b0b7fa

SHA1
7a75e4b08c22dc1eead093b882bc3c3f86a1e50e

SHA256
dcac5868c1cb3eaabdeb267e4553ac71e936147b30bb964f16f34d5f8e924718

SHA512
d9d1161eb599c76e992cb46410eb2292a6db4a3ad4a449c76947924b2066b2b0a9fd1809330f34a86fdf8ee20e89e32ab3d8486121171490376bba2a49ef980e

Download Submit
C:\Users\Admin\AppData\Local\Temp\77ed5d9b-40b5-4f36-8004-750256c19cba\AgileDotNetRT.dll

Filesize
140KB

MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c54vjcqu.03c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1208-10-0x0000000073A80000-0x0000000073ADB000-memory.dmp

Filesize
364KB

Download
memory/1208-0-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/1208-43-0x0000000073270000-0x0000000073298000-memory.dmp

Filesize
160KB

Download
memory/1208-41-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/1208-2-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/1208-1-0x0000000001B60000-0x0000000001B70000-memory.dmp

Filesize
64KB

Download
memory/1208-11-0x0000000073270000-0x0000000073298000-memory.dmp

Filesize
160KB

Download
memory/1480-184-0x0000000004520000-0x0000000004530000-memory.dmp

Filesize
64KB

Download
memory/1480-250-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/1480-183-0x0000000004520000-0x0000000004530000-memory.dmp

Filesize
64KB

Download
memory/1480-189-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/1484-42-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/1484-53-0x0000000072320000-0x0000000072348000-memory.dmp

Filesize
160KB

Download
memory/1484-39-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/1484-51-0x0000000073A80000-0x0000000073ADB000-memory.dmp

Filesize
364KB

Download
memory/1484-52-0x0000000074D60000-0x0000000075311000-memory.dmp

Filesize
5.7MB

Download
memory/1752-98-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/1752-79-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/1752-68-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/1752-248-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/2100-65-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/2100-195-0x000000007F9B0000-0x000000007F9C0000-memory.dmp

Filesize
64KB

Download
memory/2100-67-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2100-202-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/2100-193-0x0000000006FB0000-0x0000000006FE2000-memory.dmp

Filesize
200KB

Download
memory/2628-191-0x0000000006850000-0x000000000689C000-memory.dmp

Filesize
304KB

Download
memory/2628-60-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/2628-220-0x0000000007450000-0x00000000074F3000-memory.dmp

Filesize
652KB

Download
memory/2628-190-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/2628-56-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/2628-196-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/2628-59-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/2852-102-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2852-101-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/2852-187-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/2868-40-0x0000021AF7700000-0x0000021AF7708000-memory.dmp

Filesize
32KB

Download
memory/2868-192-0x00007FFE27410000-0x00007FFE27ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-55-0x00007FFE27410000-0x00007FFE27ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-54-0x0000021AF9480000-0x0000021AF9490000-memory.dmp

Filesize
64KB

Download
memory/3472-57-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/3472-209-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/3472-80-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/3472-185-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3472-63-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3472-78-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3472-66-0x0000000005D10000-0x0000000005D32000-memory.dmp

Filesize
136KB

Download
memory/3472-58-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/3624-188-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/3624-208-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/3624-210-0x000000007F980000-0x000000007F990000-memory.dmp

Filesize
64KB

Download
memory/3624-64-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/3816-112-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/3816-113-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/3816-114-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/4300-100-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/4300-62-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4300-61-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/4300-186-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4344-207-0x0000000006CC0000-0x0000000006CDE000-memory.dmp

Filesize
120KB

Download
memory/4344-249-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

Filesize
64KB

Download
memory/4344-194-0x000000006ED70000-0x000000006EDBC000-memory.dmp

Filesize
304KB

Download
memory/4344-155-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/4344-154-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/4956-134-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/4956-135-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/4956-133-0x0000000071B70000-0x0000000072320000-memory.dmp

Filesize
7.7MB

Download
memory/5988-343-0x0000000073A80000-0x0000000073ADB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads