Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

80aabd5337...5a.exe

windows7-x64

10

80aabd5337...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2024, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80aabd5337136686aefe2ff1e6da8d5a.exe

  • Size

    563KB

  • MD5

    80aabd5337136686aefe2ff1e6da8d5a

  • SHA1

    a749d303f5a928cff0d66ac23a704b90837ea0f9

  • SHA256

    afd7b91be42e614fa8f3488f8cf2024b1a5b364c4b66c514fa86940b06c93515

  • SHA512

    5472e503c6e18297efcac3cb0b78dd1c4798f6d60695bf738aba8cfdf42902a2b9d5fb0bf35503750efd6a31ea1cb0144fa07f3f31aeaaee8bd492c0a501fe5a

  • SSDEEP

    12288:6V6zPygCa+DZjF1/A/ZMvGTsv+wD1IRJ+ZN1JBCGoOdnq1T:c6zPXCa+DZj3/SOvPGkZ13ox

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

False

Attributes
  • aes_key

    admin12345$

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/dd1yrjpH

  • download_payload

    false

  • install

    false

  • install_name

    settings.exe

  • main_folder

    False

  • payload_url

    True

  • pin_spread

    false

  • sub_folder

    True

  • usb_spread

    false

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\80aabd5337136686aefe2ff1e6da8d5a.exe
    "C:\Users\Admin\AppData\Local\Temp\80aabd5337136686aefe2ff1e6da8d5a.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 5 /RL LIMITED /tn UDMR /tr "'C:\ProgramData\Provisioning\settings.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:2448
    • C:\Windows\system32\cmd.exe
      cmd /c attrib +H +S "C:\ProgramData\\Provisioning" & attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\ProgramData\\Provisioning"
        3⤵
        • Views/modifies file attributes
        PID:2840
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
        3⤵
        • Views/modifies file attributes
        PID:2640
    • C:\ProgramData\Provisioning\settings.exe
      "C:\ProgramData\Provisioning\settings.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc MINUTE /mo 5 /RL LIMITED /tn UDMR /tr "'C:\ProgramData\Provisioning\settings.exe'"
        3⤵
        • Creates scheduled task(s)
        PID:2688
      • C:\Windows\system32\cmd.exe
        cmd /c attrib +H +S "C:\ProgramData\\Provisioning" & attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\system32\attrib.exe
          attrib +H +S "C:\ProgramData\\Provisioning"
          4⤵
          • Views/modifies file attributes
          PID:668
        • C:\Windows\system32\attrib.exe
          attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
          4⤵
          • Views/modifies file attributes
          PID:512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Provisioning\settings.exe
    Filesize

    563KB

    MD5

    80aabd5337136686aefe2ff1e6da8d5a

    SHA1

    a749d303f5a928cff0d66ac23a704b90837ea0f9

    SHA256

    afd7b91be42e614fa8f3488f8cf2024b1a5b364c4b66c514fa86940b06c93515

    SHA512

    5472e503c6e18297efcac3cb0b78dd1c4798f6d60695bf738aba8cfdf42902a2b9d5fb0bf35503750efd6a31ea1cb0144fa07f3f31aeaaee8bd492c0a501fe5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB7AE.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB84D.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Roaming\LinkM\settings.exe.lnk
    Filesize

    818B

    MD5

    3798d4cc9ccec9f631b976031436b9d7

    SHA1

    48e749f1fecc9b320349712e69e5d14304f0a820

    SHA256

    d2739833e78366320c6078534632856e7d9c53367ef2122a691f0edc285d0755

    SHA512

    f0780bb80f47a759c2fa20a192eef65ee52045689cd1826349556f1491cd85d1b35ab2a712c7c0f2834f87354d7bd9ea12aa0adbe0fb7134c5ce1c05761641d5

    Download Submit

  • memory/2572-0-0x00000000010E0000-0x0000000001172000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2572-12-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2572-6-0x000000001B3A0000-0x000000001B420000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2572-1-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3028-8-0x0000000000BE0000-0x0000000000C72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3028-9-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3028-13-0x000000001B2B0000-0x000000001B330000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3028-48-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3028-49-0x000000001B2B0000-0x000000001B330000-memory.dmp

    Filesize

    512KB

    Download