Analysis Overview
SHA256
05f0ad4df75e687b4a188f34e31a60afb0a772d32e51f6e77f62ec484e7cf35e
Threat Level: Known bad
The file de02ba99f65d07c4973b33fec5aefdac was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-25 12:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-25 12:27
Reported
2024-03-25 12:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Wservices.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Wservices.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wservices.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wservices.exe" | C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4992 set thread context of 4904 | N/A | C:\Users\Admin\AppData\Roaming\Wservices.exe | C:\Users\Admin\AppData\Roaming\Wservices.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe
"C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe
"C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe"
C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
Files
memory/2224-0-0x0000000000400000-0x000000000059C000-memory.dmp
memory/2224-1-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2224-2-0x0000000004A80000-0x0000000004B1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe
| MD5 | 5b7cbfc8d8bc22798ee4fc4aa4b03e3b |
| SHA1 | 76f643b3f67f76f4182ef18e43e298e2e8570044 |
| SHA256 | 35bcbae8dd3191cf58c48618d0cc43fb8fee8493e7c872d7742b4d499c383af9 |
| SHA512 | 85228be9bc801d412bab150f3238c95390e18ab5f3a88bbc2406a40818e7c4482e77462b4a302be78075b1b631d6ac4a5939b8040d3742d3b822361642f796bd |
memory/2224-16-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2224-17-0x0000000005630000-0x0000000005BD4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Wservices.exe
| MD5 | de02ba99f65d07c4973b33fec5aefdac |
| SHA1 | 54419bd1e07a8e3ab393c55cf55570bc3fe2b526 |
| SHA256 | 05f0ad4df75e687b4a188f34e31a60afb0a772d32e51f6e77f62ec484e7cf35e |
| SHA512 | c38740af611109ebae7552045e4b1d88909840d54c91ad585adba52b2d36be806fde3f84c1cd18c086debe995ef5475faf9b53614ebe83fe56825c97a877d6d8 |
memory/2224-31-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4992-30-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4992-32-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4992-33-0x0000000004B40000-0x0000000004B50000-memory.dmp
memory/4992-34-0x0000000004840000-0x0000000004858000-memory.dmp
memory/4904-35-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Wservices.exe.log
| MD5 | e07efe3f1e4fcc39483a46d0644e1750 |
| SHA1 | 083566e513d8090982a8f2d2c57864f7e5eea721 |
| SHA256 | d35da5dbc639e94852448d93722de5260388abf8a0a6b80d947d8acf02209617 |
| SHA512 | e29fac6efce55130598dd9ca0be18e2934d8ed417087848f4c80c1754312f1dae2eb0fc3e85e58aa11abde23a221bdf8f6b80df3a9acad4891626f667f05b474 |
memory/4992-39-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4904-40-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4904-41-0x0000000074580000-0x0000000074D30000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-25 12:27
Reported
2024-03-25 12:29
Platform
win7-20240221-en
Max time kernel
129s
Max time network
120s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Wservices.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Wservices.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wservices.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wservices.exe" | C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1612 set thread context of 580 | N/A | C:\Users\Admin\AppData\Roaming\Wservices.exe | C:\Users\Admin\AppData\Roaming\Wservices.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe
"C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe"
C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe
"C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe"
C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
Network
Files
memory/1704-0-0x0000000000400000-0x000000000059C000-memory.dmp
memory/1704-1-0x00000000741A0000-0x000000007488E000-memory.dmp
\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe
| MD5 | 5b7cbfc8d8bc22798ee4fc4aa4b03e3b |
| SHA1 | 76f643b3f67f76f4182ef18e43e298e2e8570044 |
| SHA256 | 35bcbae8dd3191cf58c48618d0cc43fb8fee8493e7c872d7742b4d499c383af9 |
| SHA512 | 85228be9bc801d412bab150f3238c95390e18ab5f3a88bbc2406a40818e7c4482e77462b4a302be78075b1b631d6ac4a5939b8040d3742d3b822361642f796bd |
memory/1704-13-0x00000000741A0000-0x000000007488E000-memory.dmp
\Users\Admin\AppData\Roaming\Wservices.exe
| MD5 | de02ba99f65d07c4973b33fec5aefdac |
| SHA1 | 54419bd1e07a8e3ab393c55cf55570bc3fe2b526 |
| SHA256 | 05f0ad4df75e687b4a188f34e31a60afb0a772d32e51f6e77f62ec484e7cf35e |
| SHA512 | c38740af611109ebae7552045e4b1d88909840d54c91ad585adba52b2d36be806fde3f84c1cd18c086debe995ef5475faf9b53614ebe83fe56825c97a877d6d8 |
memory/1612-22-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1704-21-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1612-23-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/1612-24-0x0000000004B00000-0x0000000004B40000-memory.dmp
memory/1612-25-0x0000000000740000-0x0000000000758000-memory.dmp
memory/580-26-0x0000000000400000-0x000000000040C000-memory.dmp
memory/580-28-0x0000000000400000-0x000000000040C000-memory.dmp
memory/580-30-0x0000000000400000-0x000000000040C000-memory.dmp
memory/580-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/580-34-0x0000000000400000-0x000000000040C000-memory.dmp
memory/580-37-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1612-38-0x00000000741A0000-0x000000007488E000-memory.dmp
memory/580-40-0x0000000000400000-0x000000000040C000-memory.dmp
memory/580-41-0x0000000074120000-0x000000007480E000-memory.dmp