Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\secinit\sdchange.exe	N/A
N/A	N/A	C:\Users\Admin\secinit\sdchange.exe	N/A
N/A	N/A	C:\Users\Admin\secinit\sdchange.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Maps connected drives based on registry

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A

AutoIT Executable

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2020 set thread context of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 set thread context of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 set thread context of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 set thread context of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1728	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2020 wrote to memory of 1972	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 1972	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 1972	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 1972	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2504	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 2504	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 2504	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 2504	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2588	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2504 wrote to memory of 2536	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2536	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2536	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2536	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 1264	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 1264	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 1264	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 1264	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 1684	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1264 wrote to memory of 240	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 240	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 240	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 240	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 1588	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 1588	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 1588	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 2200 wrote to memory of 1588	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\secinit\sdchange.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 2212	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1588 wrote to memory of 1252	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 1252	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 1252	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 1252	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe

"C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {19F93AAD-5AF1-472A-8BA8-6006DBF6AEAD} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	pastebin.com	udp
US	104.20.67.143:443	pastebin.com	tcp

Files

memory/2020-0-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1728-1-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1728-2-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1728-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1728-7-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1728-8-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1728-11-0x0000000074110000-0x00000000746BB000-memory.dmp

C:\Users\Admin\secinit\sdchange.exe

MD5	422e25352d7ca91bea1753312de65466
SHA1	aebcddda6623d1e44a47d88866f4f3c24c15bf44
SHA256	3bd47218aa5e92140b982b30ef5f5160a6b6ce06b8a817af5a3346e0609e8fe3
SHA512	cac08f8e5a8d75486860d83d92580d7bba133dae5f8067fe271b74864458f5e474814860a64b47bb661215e474c2c1528a03e0f83c36167dc005e97b7c8f36f5

memory/2588-16-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2588-21-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2588-22-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2588-23-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/2588-24-0x0000000074110000-0x00000000746BB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5	753df6889fd7410a2e9fe333da83a429
SHA1	3c425f16e8267186061dd48ac1c77c122962456e
SHA256	b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512	9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarB3FC.tmp

MD5	dd73cead4b93366cf3465c8cd32e2796
SHA1	74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256	a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512	ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1728-62-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1684-73-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1684-74-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/2212-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2212-84-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/2212-85-0x0000000074110000-0x00000000746BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 07:53

Reported

2024-03-14 07:56

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\secinit\sdchange.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\secinit\sdchange.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\secinit\sdchange.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\secinit\sdchange.exe	N/A
N/A	N/A	C:\Users\Admin\secinit\sdchange.exe	N/A
N/A	N/A	C:\Users\Admin\secinit\sdchange.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Maps connected drives based on registry

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A

AutoIT Executable

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 1492 set thread context of 3800	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3656 set thread context of 1988	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1176 set thread context of 4012	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3236 set thread context of 2004	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1492 wrote to memory of 3800	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1492 wrote to memory of 3800	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1492 wrote to memory of 3800	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1492 wrote to memory of 3800	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1492 wrote to memory of 3800	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1492 wrote to memory of 1276	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 1276	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1492 wrote to memory of 1276	N/A	C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 1988	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3656 wrote to memory of 1988	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3656 wrote to memory of 1988	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3656 wrote to memory of 1988	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3656 wrote to memory of 1988	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3656 wrote to memory of 3116	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 3116	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3656 wrote to memory of 3116	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 4012	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1176 wrote to memory of 4012	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1176 wrote to memory of 4012	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1176 wrote to memory of 4012	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1176 wrote to memory of 4012	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1176 wrote to memory of 1892	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 1892	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 1892	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 2004	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3236 wrote to memory of 2004	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3236 wrote to memory of 2004	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3236 wrote to memory of 2004	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3236 wrote to memory of 2004	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3236 wrote to memory of 4300	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 4300	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3236 wrote to memory of 4300	N/A	C:\Users\Admin\secinit\sdchange.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe

"C:\Users\Admin\AppData\Local\Temp\c819e2b4d2c91d98aae0304c1ff5aa38.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

C:\Users\Admin\secinit\sdchange.exe

C:\Users\Admin\secinit\sdchange.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	149.177.190.20.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.200:443	g.bing.com	tcp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	187.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	241.154.82.20.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	41.110.16.96.in-addr.arpa	udp
US	8.8.8.8:53	pastebin.com	udp
US	104.20.67.143:443	pastebin.com	tcp
US	8.8.8.8:53	143.67.20.104.in-addr.arpa	udp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	18.134.221.88.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	175.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	88.16.208.104.in-addr.arpa	udp

Files

memory/1492-0-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/3800-1-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3800-5-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/3800-6-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/3800-7-0x0000000001200000-0x0000000001210000-memory.dmp

C:\Users\Admin\secinit\sdchange.exe

MD5	e10d368f33b1b0d03efc001f8ddd0759
SHA1	8f535181286052b0d9e304e2b91984fa3b50bce6
SHA256	69961eb28015c4ad525e5ef2f236262130c0e19d95a9660788726e5960de9399
SHA512	54e1fc5e71f717183e28dc6d0228b0aef0a7c4c061a5bf6387d765456017ed11652873b9a63c26bcaed1edfa7cdeae6a5db28fd4ad6d15128d8aa20b9ff4ce7f

memory/1988-12-0x0000000000780000-0x000000000078C000-memory.dmp

memory/1988-16-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/1988-17-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/1988-18-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/1988-21-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/3800-22-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/3800-23-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/3800-24-0x0000000001200000-0x0000000001210000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5	9f893d94b017a0684012d50319c9ffbe
SHA1	140cc2cb6b2520ba4f9a1f666a5f679853472793
SHA256	8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec
SHA512	4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

memory/4012-32-0x0000000001540000-0x0000000001550000-memory.dmp

memory/4012-31-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4012-33-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/4012-34-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/2004-40-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/2004-41-0x0000000074970000-0x0000000074F21000-memory.dmp

memory/2004-42-0x0000000000A60000-0x0000000000A70000-memory.dmp

memory/2004-43-0x0000000074970000-0x0000000074F21000-memory.dmp

Sample ID	240314-jree1age46
Target	c819e2b4d2c91d98aae0304c1ff5aa38
SHA256	f46f42d48bccbc1ddf2758cac437b81e6d6c6d3e920d29ef2cbe627cc6a5f89f
Tags	limerat rat

Malware Analysis Report

2024-09-11 10:04

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files