Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2024, 02:53
Behavioral task
behavioral1
Sample
93a51bb3d03a1cebf76e63d8bdb3af04.exe
Resource
win7-20231215-en
General
-
Target
93a51bb3d03a1cebf76e63d8bdb3af04.exe
-
Size
684KB
-
MD5
93a51bb3d03a1cebf76e63d8bdb3af04
-
SHA1
0868306dcb3a1f21fdda94e7125ad3aa2ad2dfa9
-
SHA256
729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5
-
SHA512
17c69bdbfbe71e80dbca83b967b6d9d77a4f63e0ea46b4c418ed7b3f318cda4603c8245b06a4d67a897baf8d8c2899bfb5da2932b0aea52d8c217752eeccc830
-
SSDEEP
12288:0JOpPEhZTl8pBRxhHLMmyLgIO3GsaMJcR/Vn+R9KVYszf:0JyPEhZB8pBlHomy0IO3GsId+R9KV1f
Malware Config
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/tDBQY6gT
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x00060000000231f9-34.dat disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation .exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 93a51bb3d03a1cebf76e63d8bdb3af04.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 560 .exe 1480 temp.exe 4592 Window Security Notification.exe -
Loads dropped DLL 3 IoCs
pid Process 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 560 .exe 4592 Window Security Notification.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/files/0x00060000000231fa-19.dat agile_net behavioral2/files/0x00060000000231fa-27.dat agile_net behavioral2/files/0x0017000000023203-340.dat agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 pastebin.com 20 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2504 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings 93a51bb3d03a1cebf76e63d8bdb3af04.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 4436 powershell.exe 4436 powershell.exe 3796 powershell.exe 3796 powershell.exe 4640 powershell.exe 4640 powershell.exe 2364 powershell.exe 2364 powershell.exe 4680 powershell.exe 4680 powershell.exe 1400 powershell.exe 1400 powershell.exe 2588 powershell.exe 2588 powershell.exe 2696 powershell.exe 2696 powershell.exe 2492 powershell.exe 2492 powershell.exe 2808 powershell.exe 2808 powershell.exe 3880 powershell.exe 3880 powershell.exe 4436 powershell.exe 2364 powershell.exe 4640 powershell.exe 3796 powershell.exe 4680 powershell.exe 2492 powershell.exe 1400 powershell.exe 2588 powershell.exe 2696 powershell.exe 2808 powershell.exe 3880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1480 temp.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 4592 Window Security Notification.exe Token: SeDebugPrivilege 4592 Window Security Notification.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3956 wrote to memory of 4084 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 85 PID 3956 wrote to memory of 4084 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 85 PID 3956 wrote to memory of 4084 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 85 PID 3956 wrote to memory of 560 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 86 PID 3956 wrote to memory of 560 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 86 PID 3956 wrote to memory of 560 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 86 PID 3956 wrote to memory of 1480 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 113 PID 3956 wrote to memory of 1480 3956 93a51bb3d03a1cebf76e63d8bdb3af04.exe 113 PID 4084 wrote to memory of 5008 4084 WScript.exe 87 PID 4084 wrote to memory of 5008 4084 WScript.exe 87 PID 4084 wrote to memory of 5008 4084 WScript.exe 87 PID 5008 wrote to memory of 3796 5008 WScript.exe 112 PID 5008 wrote to memory of 3796 5008 WScript.exe 112 PID 5008 wrote to memory of 3796 5008 WScript.exe 112 PID 5008 wrote to memory of 2364 5008 WScript.exe 103 PID 5008 wrote to memory of 2364 5008 WScript.exe 103 PID 5008 wrote to memory of 2364 5008 WScript.exe 103 PID 5008 wrote to memory of 4436 5008 WScript.exe 91 PID 5008 wrote to memory of 4436 5008 WScript.exe 91 PID 5008 wrote to memory of 4436 5008 WScript.exe 91 PID 5008 wrote to memory of 4640 5008 WScript.exe 92 PID 5008 wrote to memory of 4640 5008 WScript.exe 92 PID 5008 wrote to memory of 4640 5008 WScript.exe 92 PID 5008 wrote to memory of 4680 5008 WScript.exe 93 PID 5008 wrote to memory of 4680 5008 WScript.exe 93 PID 5008 wrote to memory of 4680 5008 WScript.exe 93 PID 5008 wrote to memory of 1400 5008 WScript.exe 95 PID 5008 wrote to memory of 1400 5008 WScript.exe 95 PID 5008 wrote to memory of 1400 5008 WScript.exe 95 PID 5008 wrote to memory of 2588 5008 WScript.exe 99 PID 5008 wrote to memory of 2588 5008 WScript.exe 99 PID 5008 wrote to memory of 2588 5008 WScript.exe 99 PID 5008 wrote to memory of 2696 5008 WScript.exe 98 PID 5008 wrote to memory of 2696 5008 WScript.exe 98 PID 5008 wrote to memory of 2696 5008 WScript.exe 98 PID 5008 wrote to memory of 2492 5008 WScript.exe 102 PID 5008 wrote to memory of 2492 5008 WScript.exe 102 PID 5008 wrote to memory of 2492 5008 WScript.exe 102 PID 5008 wrote to memory of 2808 5008 WScript.exe 105 PID 5008 wrote to memory of 2808 5008 WScript.exe 105 PID 5008 wrote to memory of 2808 5008 WScript.exe 105 PID 5008 wrote to memory of 3880 5008 WScript.exe 106 PID 5008 wrote to memory of 3880 5008 WScript.exe 106 PID 5008 wrote to memory of 3880 5008 WScript.exe 106 PID 560 wrote to memory of 2504 560 .exe 115 PID 560 wrote to memory of 2504 560 .exe 115 PID 560 wrote to memory of 2504 560 .exe 115 PID 560 wrote to memory of 4592 560 .exe 117 PID 560 wrote to memory of 4592 560 .exe 117 PID 560 wrote to memory of 4592 560 .exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\93a51bb3d03a1cebf76e63d8bdb3af04.exe"C:\Users\Admin\AppData\Local\Temp\93a51bb3d03a1cebf76e63d8bdb3af04.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\script.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\ProgramData\script.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
-
-
C:\ProgramData\.exe"C:\ProgramData\.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"3⤵
- Creates scheduled task(s)
PID:2504
-
-
C:\Users\Admin\System32\Window Security Notification.exe"C:\Users\Admin\System32\Window Security Notification.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
-
C:\ProgramData\temp.exe"C:\ProgramData\temp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD5bfe968b719b9567e0914105d2f5f80a4
SHA1de78dee76dec96235312fa82ebebc51f114483c9
SHA256a96147860e86e8f6a898e7bf77c05596790595c10a63271a2dce89d56fc49dac
SHA51287040e0beacfdbce3a401e09bb912e67544f7f0cd8de6bacbf710fddd6ac5e143dca08049de006d844b8b50131de98f56faf953328f40aaedfa2675186d5d5d4
-
Filesize
243KB
MD5cd161d9bc56bf90a84925c34d39d82b8
SHA167010969279885dfe4aa02e4924f92e5cb9e0e5a
SHA256e03ec41e1735f54fc7da61e176b15ab782935181f82b13700a82a9ad694140d0
SHA512488729cc31a10d74ad7727c3355755a2c791755fd969fd39183177ce69738dfebe6e764bdcf04f7104a390cb8ed52440c3b25894ce1892818a727a011bd01a5c
-
Filesize
1KB
MD5dd82baf02caac1567f2277edca89a912
SHA136f5d8c2a67f31768b1116bb87f77b049ffd3f63
SHA256038802b33f5e7179ad59105099681003c68fdb9b3c757540e737564c1b460533
SHA5126825e10fbb3fec3619cd0b2d36f6490f28301fd723fa9b2b52403aa3d8c2e39b7bb04eedc937c5fdf76f511e9e75e533ef6cfce07d398fe13b52896c3e343554
-
Filesize
10KB
MD5c26e4cd9bc956f25ec249bcb75900ab2
SHA1f2a80a50639ec0c5a438c867b37ca03df286017c
SHA25680b261cf3b2206cd8786afd2b401b83dab0b97bf13d128d846910b61fde01876
SHA51271b9efcab7aae3da89e0694f29879ac786c465a9510d8b43f0ce5f629fdda3ab6be899992b7d6e94ad6ba7558cb8b4e6f29f572b188534f68e33a792e5308387
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD58fcd5c49d46760620232775ab1caf0cc
SHA1b54e48310e782ae3299bb357c8fdfe0083c8a334
SHA25672b13f97309c114882c76c18e5f05af1e0359d5723642c21c87daae48d83aeea
SHA512be592ed6a319716fc5b9a55a51683a4026b53c2e70c1b847fafc24abb739fe265cad7b1527d93bacf6bbe75c6b25b3194cd761fce88e02f371044a441baa74ae
-
Filesize
18KB
MD502521ff4f894ba541ed699a883adf9b5
SHA18f10970458a48e6b39d90e2af03881c23fda8503
SHA2565911d97b0b146111d4465c10244985e12d2d04b6c1a529d4ef6c21442e9626ad
SHA51238b0e5d5e444db467b06f8d145403bc7e352aa3f832a1710954fd32db743b31307766ec9ccebe15c0f9feb01e39c73a9b4bdcc72c7c85dd0d05a18bcd70dfdfc
-
Filesize
18KB
MD5632543076d6785d83adbe6b279cf69f8
SHA10262045a467cacfe28d243fd373b25b30562217c
SHA25630fd5a4cce8593998341cb05eb9ef16a801cf9eb302d7258475b864c4af402a1
SHA51288ea312c40af3f6f31347aea9ce7c256b3e014071dc635e7df49ac01b14ada4142a2491024ce605dcfb804e00681fa2bc6f090eaaffd14d45608a3af10cba42f
-
Filesize
18KB
MD5effcf2455b4fec24756a3785917b8890
SHA1f7d9c93289c5bfd9364519aafa5e0678c0680c28
SHA25619aaad3e221171236d9f11a56b99ada813af3c40a79242f12a0d76ff8c0c7051
SHA512cdd97286a25e0daeab153badf2fb89bc6c521406462c1dcb85f63da8a71ec9883c6d88029faf3b20945b5b750098d2692330b1671b403f48c7e5e0de3db9d292
-
Filesize
18KB
MD579ef33ab6bd7c9ec07009004336d10f3
SHA157f08e573eb02c78bd84151b5b219868a65e1d9f
SHA2564effed6d148252b7713489b6d2a994efa8ca0d7d52ad2fc3cd92e080344a7569
SHA512b13dea9bea2de419d003c867b1721df3143c366ee20d9ed2ca3727ed62f8616c391843c7e4cf5e2f2b59cc3b94aabfef851fc4e6851a623196b417d716980581
-
Filesize
140KB
MD5edd74be9723cdc6a5692954f0e51c9f3
SHA1e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA25655ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA51280abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3
-
Filesize
127KB
MD52b7a6a5b959ab880568e59fd80445d14
SHA17122bbe2acdc7156073560ec29d09fafe8c95b69
SHA256e8f2f94010ea2c150b68b287e2f9bb1df10a0219ca812cc05eee6559c27ae9c6
SHA5126bcc66cceb3b164842cf14185da8247f201c407ab4869c6801fef22f562829d91a0f1d83d050aea463b72605a740999db67ecb16c2fc738ca0aa4531a99d843d
-
Filesize
130KB
MD5ab2b4c6f4226b31cac13a834f18d17c6
SHA1678c218b76201c3debe487ed8fc58a1e55077a9d
SHA25659cca04e937663bd413f52d90781f14247324880e0773e7cd4200ab92ff21391
SHA512c6ae89fd5b95646dbcac850659df2e1427d51f9f0cbf556509abe124cc8683e0806187601fbce591f60fc5db2230c864cf82b8578610020f5b6ce6c406a8afac
-
Filesize
69KB
MD51c48331789923fac6f82d0a0b25a6b5f
SHA1c29df47662fc2d0e766e638dffecd4c73c224045
SHA256a9b8921b205ba0e9b33ffa1bb53fe84fe46639cae6a95885886bdfadba08a96a
SHA51291cc8f927d95d89ad86be921feed96dbfccbaa3aba174e1b21b9b9c8af61055e6e09958382efe5b8aa5e1b68cb929558ef71144aa1c3caf691b57021dc2be14f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
300KB
MD5de8f511d7e835274ca24674412344add
SHA1bacb9001db825ce2c040550926e353befe70d89c
SHA256a1137da164f03b5f9e04728916d573b8835f174b0c39170e8c56c0a49608cedf
SHA5126d9cce7ad1798e8bb962fd2a5585679492353471acfd5b55cf6dc273642f9f9418b99e5f95a969d62623c56fddcc39e68c1f1c9b0e7bc13393f9daeae031f318