Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/02/2024, 11:09
Static task
static1
Behavioral task
behavioral1
Sample
a039c46553a47916ff3376b88dde0a81.exe
Resource
win7-20231215-en
General
-
Target
a039c46553a47916ff3376b88dde0a81.exe
-
Size
694KB
-
MD5
a039c46553a47916ff3376b88dde0a81
-
SHA1
84e9846e8895c79a3a65cf3e54aa7a52dacf995a
-
SHA256
ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01
-
SHA512
d342258b1f57ed230eb1e3542eebb493edbbf82aa1d62d1d9b3dcc301e6700e69a3feaf99e29544c68b9c6092a70a3a98b872da1485e78e5891f1a2fa8a22c2a
-
SSDEEP
12288:KthfCHBrr9/uuQl7nNPV7mtU1EwiTsej472iNSzAaP:LsxV7my1cFjM1IzAg
Malware Config
Extracted
limerat
bc1qdajqyl8uarnz63e2we9xchx3zqcd5xcyfshfyk
-
aes_key
lime
-
antivm
true
-
c2_url
https://pastebin.com/raw/4Xj3extx
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/4Xj3extx
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 524 Wservices.exe 2356 Wservices.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 a039c46553a47916ff3376b88dde0a81.exe 524 Wservices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2284 set thread context of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 524 set thread context of 2356 524 Wservices.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1044 schtasks.exe 2896 schtasks.exe 564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2284 a039c46553a47916ff3376b88dde0a81.exe 2284 a039c46553a47916ff3376b88dde0a81.exe 2284 a039c46553a47916ff3376b88dde0a81.exe 524 Wservices.exe 2356 Wservices.exe 2356 Wservices.exe 2356 Wservices.exe 2356 Wservices.exe 2356 Wservices.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2284 a039c46553a47916ff3376b88dde0a81.exe Token: SeDebugPrivilege 524 Wservices.exe Token: SeDebugPrivilege 2356 Wservices.exe Token: SeDebugPrivilege 2356 Wservices.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2284 wrote to memory of 1044 2284 a039c46553a47916ff3376b88dde0a81.exe 30 PID 2284 wrote to memory of 1044 2284 a039c46553a47916ff3376b88dde0a81.exe 30 PID 2284 wrote to memory of 1044 2284 a039c46553a47916ff3376b88dde0a81.exe 30 PID 2284 wrote to memory of 1044 2284 a039c46553a47916ff3376b88dde0a81.exe 30 PID 2284 wrote to memory of 2964 2284 a039c46553a47916ff3376b88dde0a81.exe 32 PID 2284 wrote to memory of 2964 2284 a039c46553a47916ff3376b88dde0a81.exe 32 PID 2284 wrote to memory of 2964 2284 a039c46553a47916ff3376b88dde0a81.exe 32 PID 2284 wrote to memory of 2964 2284 a039c46553a47916ff3376b88dde0a81.exe 32 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2284 wrote to memory of 2980 2284 a039c46553a47916ff3376b88dde0a81.exe 33 PID 2980 wrote to memory of 2896 2980 a039c46553a47916ff3376b88dde0a81.exe 35 PID 2980 wrote to memory of 2896 2980 a039c46553a47916ff3376b88dde0a81.exe 35 PID 2980 wrote to memory of 2896 2980 a039c46553a47916ff3376b88dde0a81.exe 35 PID 2980 wrote to memory of 2896 2980 a039c46553a47916ff3376b88dde0a81.exe 35 PID 2980 wrote to memory of 524 2980 a039c46553a47916ff3376b88dde0a81.exe 37 PID 2980 wrote to memory of 524 2980 a039c46553a47916ff3376b88dde0a81.exe 37 PID 2980 wrote to memory of 524 2980 a039c46553a47916ff3376b88dde0a81.exe 37 PID 2980 wrote to memory of 524 2980 a039c46553a47916ff3376b88dde0a81.exe 37 PID 524 wrote to memory of 564 524 Wservices.exe 38 PID 524 wrote to memory of 564 524 Wservices.exe 38 PID 524 wrote to memory of 564 524 Wservices.exe 38 PID 524 wrote to memory of 564 524 Wservices.exe 38 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40 PID 524 wrote to memory of 2356 524 Wservices.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a039c46553a47916ff3376b88dde0a81.exe"C:\Users\Admin\AppData\Local\Temp\a039c46553a47916ff3376b88dde0a81.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OcuajQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2166.tmp"2⤵
- Creates scheduled task(s)
PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\a039c46553a47916ff3376b88dde0a81.exe"C:\Users\Admin\AppData\Local\Temp\a039c46553a47916ff3376b88dde0a81.exe"2⤵PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\a039c46553a47916ff3376b88dde0a81.exe"C:\Users\Admin\AppData\Local\Temp\a039c46553a47916ff3376b88dde0a81.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"3⤵
- Creates scheduled task(s)
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\Wservices.exe"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OcuajQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp242.tmp"4⤵
- Creates scheduled task(s)
PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\Wservices.exe"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
694KB
MD5a039c46553a47916ff3376b88dde0a81
SHA184e9846e8895c79a3a65cf3e54aa7a52dacf995a
SHA256ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01
SHA512d342258b1f57ed230eb1e3542eebb493edbbf82aa1d62d1d9b3dcc301e6700e69a3feaf99e29544c68b9c6092a70a3a98b872da1485e78e5891f1a2fa8a22c2a
-
Filesize
1KB
MD50d4e8d722457dc070bcbf1925d9c1a2c
SHA141aec7597bd33302f3eb5e2f2d2ba0b05a3851ee
SHA256dbf47e3c57964fcd419e3ba71781ee06d0e0a1cfa2a483cd78e54b1b2030e081
SHA5127edf71078809b57ea9a3724d918aaf4ced80b16c51c57eead7c0bd5b00d31ae412ae0d8dea42591872fdb9613eaf90e09f03a3b3c1906955225432fa9586b5af