Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
06/02/2024, 02:53
General
-
Target
93a51bb3d03a1cebf76e63d8bdb3af04.exe
-
Size
684KB
-
MD5
93a51bb3d03a1cebf76e63d8bdb3af04
-
SHA1
0868306dcb3a1f21fdda94e7125ad3aa2ad2dfa9
-
SHA256
729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5
-
SHA512
17c69bdbfbe71e80dbca83b967b6d9d77a4f63e0ea46b4c418ed7b3f318cda4603c8245b06a4d67a897baf8d8c2899bfb5da2932b0aea52d8c217752eeccc830
-
SSDEEP
12288:0JOpPEhZTl8pBRxhHLMmyLgIO3GsaMJcR/Vn+R9KVYszf:0JyPEhZB8pBlHomy0IO3GsId+R9KV1f
Malware Config
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/tDBQY6gT
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\93a51bb3d03a1cebf76e63d8bdb3af04.exe"C:\Users\Admin\AppData\Local\Temp\93a51bb3d03a1cebf76e63d8bdb3af04.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\script.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\ProgramData\script.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\ProgramData\.exe"C:\ProgramData\.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\System32\Window Security Notification.exe"C:\Users\Admin\System32\Window Security Notification.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\temp.exe"C:\ProgramData\temp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD5bfe968b719b9567e0914105d2f5f80a4
SHA1de78dee76dec96235312fa82ebebc51f114483c9
SHA256a96147860e86e8f6a898e7bf77c05596790595c10a63271a2dce89d56fc49dac
SHA51287040e0beacfdbce3a401e09bb912e67544f7f0cd8de6bacbf710fddd6ac5e143dca08049de006d844b8b50131de98f56faf953328f40aaedfa2675186d5d5d4
-
Filesize
243KB
MD5cd161d9bc56bf90a84925c34d39d82b8
SHA167010969279885dfe4aa02e4924f92e5cb9e0e5a
SHA256e03ec41e1735f54fc7da61e176b15ab782935181f82b13700a82a9ad694140d0
SHA512488729cc31a10d74ad7727c3355755a2c791755fd969fd39183177ce69738dfebe6e764bdcf04f7104a390cb8ed52440c3b25894ce1892818a727a011bd01a5c
-
Filesize
1KB
MD5dd82baf02caac1567f2277edca89a912
SHA136f5d8c2a67f31768b1116bb87f77b049ffd3f63
SHA256038802b33f5e7179ad59105099681003c68fdb9b3c757540e737564c1b460533
SHA5126825e10fbb3fec3619cd0b2d36f6490f28301fd723fa9b2b52403aa3d8c2e39b7bb04eedc937c5fdf76f511e9e75e533ef6cfce07d398fe13b52896c3e343554
-
Filesize
10KB
MD5c26e4cd9bc956f25ec249bcb75900ab2
SHA1f2a80a50639ec0c5a438c867b37ca03df286017c
SHA25680b261cf3b2206cd8786afd2b401b83dab0b97bf13d128d846910b61fde01876
SHA51271b9efcab7aae3da89e0694f29879ac786c465a9510d8b43f0ce5f629fdda3ab6be899992b7d6e94ad6ba7558cb8b4e6f29f572b188534f68e33a792e5308387
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD58fcd5c49d46760620232775ab1caf0cc
SHA1b54e48310e782ae3299bb357c8fdfe0083c8a334
SHA25672b13f97309c114882c76c18e5f05af1e0359d5723642c21c87daae48d83aeea
SHA512be592ed6a319716fc5b9a55a51683a4026b53c2e70c1b847fafc24abb739fe265cad7b1527d93bacf6bbe75c6b25b3194cd761fce88e02f371044a441baa74ae
-
Filesize
18KB
MD502521ff4f894ba541ed699a883adf9b5
SHA18f10970458a48e6b39d90e2af03881c23fda8503
SHA2565911d97b0b146111d4465c10244985e12d2d04b6c1a529d4ef6c21442e9626ad
SHA51238b0e5d5e444db467b06f8d145403bc7e352aa3f832a1710954fd32db743b31307766ec9ccebe15c0f9feb01e39c73a9b4bdcc72c7c85dd0d05a18bcd70dfdfc
-
Filesize
18KB
MD5632543076d6785d83adbe6b279cf69f8
SHA10262045a467cacfe28d243fd373b25b30562217c
SHA25630fd5a4cce8593998341cb05eb9ef16a801cf9eb302d7258475b864c4af402a1
SHA51288ea312c40af3f6f31347aea9ce7c256b3e014071dc635e7df49ac01b14ada4142a2491024ce605dcfb804e00681fa2bc6f090eaaffd14d45608a3af10cba42f
-
Filesize
18KB
MD5effcf2455b4fec24756a3785917b8890
SHA1f7d9c93289c5bfd9364519aafa5e0678c0680c28
SHA25619aaad3e221171236d9f11a56b99ada813af3c40a79242f12a0d76ff8c0c7051
SHA512cdd97286a25e0daeab153badf2fb89bc6c521406462c1dcb85f63da8a71ec9883c6d88029faf3b20945b5b750098d2692330b1671b403f48c7e5e0de3db9d292
-
Filesize
18KB
MD579ef33ab6bd7c9ec07009004336d10f3
SHA157f08e573eb02c78bd84151b5b219868a65e1d9f
SHA2564effed6d148252b7713489b6d2a994efa8ca0d7d52ad2fc3cd92e080344a7569
SHA512b13dea9bea2de419d003c867b1721df3143c366ee20d9ed2ca3727ed62f8616c391843c7e4cf5e2f2b59cc3b94aabfef851fc4e6851a623196b417d716980581
-
Filesize
140KB
MD5edd74be9723cdc6a5692954f0e51c9f3
SHA1e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686
SHA25655ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7
SHA51280abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3
-
Filesize
127KB
MD52b7a6a5b959ab880568e59fd80445d14
SHA17122bbe2acdc7156073560ec29d09fafe8c95b69
SHA256e8f2f94010ea2c150b68b287e2f9bb1df10a0219ca812cc05eee6559c27ae9c6
SHA5126bcc66cceb3b164842cf14185da8247f201c407ab4869c6801fef22f562829d91a0f1d83d050aea463b72605a740999db67ecb16c2fc738ca0aa4531a99d843d
-
Filesize
130KB
MD5ab2b4c6f4226b31cac13a834f18d17c6
SHA1678c218b76201c3debe487ed8fc58a1e55077a9d
SHA25659cca04e937663bd413f52d90781f14247324880e0773e7cd4200ab92ff21391
SHA512c6ae89fd5b95646dbcac850659df2e1427d51f9f0cbf556509abe124cc8683e0806187601fbce591f60fc5db2230c864cf82b8578610020f5b6ce6c406a8afac
-
Filesize
69KB
MD51c48331789923fac6f82d0a0b25a6b5f
SHA1c29df47662fc2d0e766e638dffecd4c73c224045
SHA256a9b8921b205ba0e9b33ffa1bb53fe84fe46639cae6a95885886bdfadba08a96a
SHA51291cc8f927d95d89ad86be921feed96dbfccbaa3aba174e1b21b9b9c8af61055e6e09958382efe5b8aa5e1b68cb929558ef71144aa1c3caf691b57021dc2be14f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
300KB
MD5de8f511d7e835274ca24674412344add
SHA1bacb9001db825ce2c040550926e353befe70d89c
SHA256a1137da164f03b5f9e04728916d573b8835f174b0c39170e8c56c0a49608cedf
SHA5126d9cce7ad1798e8bb962fd2a5585679492353471acfd5b55cf6dc273642f9f9418b99e5f95a969d62623c56fddcc39e68c1f1c9b0e7bc13393f9daeae031f318
-
Filesize
160KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
364KB
-
Filesize
5.7MB
-
Filesize
7.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
160KB
-
Filesize
5.7MB
-
Filesize
160KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
364KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB