Malware Analysis Report

2024-09-11 09:58

Sample ID 240424-k8jxgsgc75
Target 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30
SHA256 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30
Tags
limerat redline sectoprat stormkitty xworm ids infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30

Threat Level: Known bad

The file 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30 was found to be: Known bad.

Malicious Activity Summary

limerat redline sectoprat stormkitty xworm ids infostealer persistence rat spyware stealer trojan

Xworm

StormKitty

StormKitty payload

Detect Xworm Payload

SectopRAT

RedLine payload

LimeRAT

RedLine

SectopRAT payload

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-24 09:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-24 09:16

Reported

2024-04-24 09:18

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\ProgramData\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\browser.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk C:\Users\Admin\AppData\Roaming\browser.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk C:\ProgramData\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk C:\ProgramData\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mstc.exe" C:\ProgramData\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mstc.exe" C:\Users\Admin\AppData\Roaming\browser.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\XClient.exe
PID 2192 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\XClient.exe
PID 2192 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\build.exe
PID 2192 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\build.exe
PID 2192 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\build.exe
PID 2988 wrote to memory of 2568 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 2568 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4644 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4644 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3992 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 3992 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4748 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4748 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2988 wrote to memory of 4032 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 2988 wrote to memory of 4032 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 2988 wrote to memory of 4248 N/A C:\ProgramData\XClient.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2988 wrote to memory of 4248 N/A C:\ProgramData\XClient.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2988 wrote to memory of 2680 N/A C:\ProgramData\XClient.exe C:\Users\Admin\AppData\Roaming\browser.exe
PID 2988 wrote to memory of 2680 N/A C:\ProgramData\XClient.exe C:\Users\Admin\AppData\Roaming\browser.exe
PID 2680 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2680 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\schtasks.exe
PID 2680 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe

"C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"

C:\ProgramData\XClient.exe

"C:\ProgramData\XClient.exe"

C:\ProgramData\build.exe

"C:\ProgramData\build.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\browser.exe'"

C:\Users\Admin\AppData\Roaming\browser.exe

"C:\Users\Admin\AppData\Roaming\browser.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\browser.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'browser.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"

C:\Users\Admin\AppData\Local\Temp\mstc.exe

C:\Users\Admin\AppData\Local\Temp\mstc.exe

C:\Users\Admin\AppData\Local\Temp\mstc.exe

C:\Users\Admin\AppData\Local\Temp\mstc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:7000 tcp
US 8.8.8.8:53 220.252.92.91.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 50.139.73.23.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/2192-0-0x0000000000B10000-0x0000000000B48000-memory.dmp

memory/2192-2-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

C:\ProgramData\XClient.exe

MD5 5b7ac9829cdca0b5e82604191dcc1d4e
SHA1 5e944b6afea5db67b4d272a7b02bdf5501ca213f
SHA256 bc8306a6f60583de0b2a2818f1f9d1df8e80ef29dcf46b9471e4697f219e1251
SHA512 505491b019e948b14500867e927c9ab48642571733b944afc054922ed46a25eebbfae1615500e4755b0f022e5993cc4bd5124cf27c218a118070812e92bc1b33

C:\ProgramData\build.exe

MD5 d32bddd3639f42733a78945885002128
SHA1 6dcfc09b8c86e79ac70a63132a5162d3616c6479
SHA256 34dac9b900a3c810e466f9cac9ba5f0a062ff2be7719fc443cb23d0f8ac0390e
SHA512 b28fc39e77245d5a52ae5d25ac363c95db8b20a960caabc7aa4f3339b2a8d27f7f92846e2a4173fd0f776be4034fbfe5e60b375eebb465dbe78017d8479ad511

memory/2988-21-0x0000000000E80000-0x0000000000E9C000-memory.dmp

memory/2192-26-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2988-25-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/4928-29-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4928-28-0x0000000000200000-0x000000000021E000-memory.dmp

memory/4928-30-0x00000000051C0000-0x00000000057D8000-memory.dmp

memory/4928-31-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

memory/4928-32-0x0000000004C30000-0x0000000004C6C000-memory.dmp

memory/4928-33-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/4928-34-0x0000000004C70000-0x0000000004CBC000-memory.dmp

memory/4928-35-0x0000000004ED0000-0x0000000004FDA000-memory.dmp

memory/2988-36-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/2568-37-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2568-38-0x000001C29C2E0000-0x000001C29C2F0000-memory.dmp

memory/2568-39-0x000001C29C2E0000-0x000001C29C2F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlpmr10b.wli.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2568-49-0x000001C29CDA0000-0x000001C29CDC2000-memory.dmp

memory/2568-52-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 440cb38dbee06645cc8b74d51f6e5f71
SHA1 d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA256 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA512 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

memory/4644-54-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/4644-55-0x000002056F040000-0x000002056F050000-memory.dmp

memory/4644-56-0x000002056F040000-0x000002056F050000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e6b9e03dcde217fc7d1692b3d65233d7
SHA1 67367ef59dbc1661ff29d6fe5ce3ed3d39678044
SHA256 790c142b39325b5bcf07c2d7b8afb8fb3b6f8c1e99a39ce5870b2ef043d8cfdd
SHA512 8f34d037a97f1131ff9863c10ff7cf7f029c2973c5f32fcee1751cd47a5b7cfc3bf5b6c30ada08f3793918e600d4a45f8cb8d22502b693c6a9aeba9d0d504410

memory/4644-67-0x000002056F040000-0x000002056F050000-memory.dmp

memory/4644-69-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/3992-70-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/3992-71-0x00000246A6C10000-0x00000246A6C20000-memory.dmp

memory/3992-72-0x00000246A6C10000-0x00000246A6C20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb22d95851b93abf2afe8fb96a8e544
SHA1 920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256 e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA512 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

memory/3992-84-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/4748-85-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2988-86-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/4748-87-0x000001776B740000-0x000001776B750000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cae60f0ddddac635da71bba775a2c5b4
SHA1 386f1a036af61345a7d303d45f5230e2df817477
SHA256 b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA512 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

memory/4748-99-0x000001776B740000-0x000001776B750000-memory.dmp

memory/4928-98-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4748-101-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/4928-106-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/2988-107-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/2988-108-0x000000001D520000-0x000000001D52C000-memory.dmp

memory/2988-109-0x000000001EC90000-0x000000001EFE0000-memory.dmp

memory/2988-110-0x000000001EFE0000-0x000000001F0FE000-memory.dmp

memory/2988-163-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2680-162-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2680-164-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/1356-165-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

memory/1356-177-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2464-178-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2464-179-0x000001C841E60000-0x000001C841E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d7b8fb3b4eb9e5513fa1a273e613b817
SHA1 58273b4372810d70d1dc52f09907952d0ee28488
SHA256 bc17d2fadb38424043681010c51e123738d2d3c9a6892d0fa91d96b9f8ffd194
SHA512 c8402c01cb5521f8d826f80d7cba33431e8534818bb4e89af1c2c8e28104c46d234a1f66e4ec58a4b46e7391a81e9d1c1b73e5c85e20c06147adf488ac17a70c

memory/2464-190-0x000001C841E60000-0x000001C841E70000-memory.dmp

memory/2464-192-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/3904-193-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/3904-194-0x000002C45A820000-0x000002C45A830000-memory.dmp

memory/3904-195-0x000002C45A820000-0x000002C45A830000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

memory/3904-206-0x000002C45A820000-0x000002C45A830000-memory.dmp

memory/3904-208-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/3580-214-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/3580-220-0x0000028E7D780000-0x0000028E7D790000-memory.dmp

memory/3580-215-0x0000028E7D780000-0x0000028E7D790000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e60eb305a7b2d9907488068b7065abd3
SHA1 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256 ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA512 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

memory/3580-224-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/2680-223-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk

MD5 6179671de71480eaf90e8264dd4482a1
SHA1 7d5168fa6bbf7e9e863da27e179f06c98da13007
SHA256 1a7fc9d084a8a6677fca31479d507f6b4e6abb718b6d788cc647c0fa8144022f
SHA512 47c0d6c94527ef5760080d493b411ca252d3591731a3b7835334457b6ecc5822cb7daee4e0e0a9647235f0ed4edc756da00ff869798c1fc4fcaeb02a835ace00

memory/2680-230-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/4492-233-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/4492-235-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mstc.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1640-238-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

memory/1640-239-0x00007FFE4B920000-0x00007FFE4C3E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-24 09:16

Reported

2024-04-24 09:18

Platform

win11-20240412-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk C:\ProgramData\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk C:\ProgramData\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk C:\Users\Admin\AppData\Roaming\browser.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mstc.exe" C:\ProgramData\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mstc.exe" C:\Users\Admin\AppData\Roaming\browser.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mstc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\browser.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\XClient.exe
PID 4412 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\XClient.exe
PID 4412 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\build.exe
PID 4412 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\build.exe
PID 4412 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe C:\ProgramData\build.exe
PID 2660 wrote to memory of 2352 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2352 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 4972 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 4972 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1568 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1568 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1064 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1064 N/A C:\ProgramData\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 1344 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 2660 wrote to memory of 1344 N/A C:\ProgramData\XClient.exe C:\Windows\System32\schtasks.exe
PID 2660 wrote to memory of 4320 N/A C:\ProgramData\XClient.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2660 wrote to memory of 4320 N/A C:\ProgramData\XClient.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2660 wrote to memory of 3800 N/A C:\ProgramData\XClient.exe C:\Users\Admin\AppData\Roaming\browser.exe
PID 2660 wrote to memory of 3800 N/A C:\ProgramData\XClient.exe C:\Users\Admin\AppData\Roaming\browser.exe
PID 3800 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 128 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 128 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3800 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\schtasks.exe
PID 3800 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Roaming\browser.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe

"C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"

C:\ProgramData\XClient.exe

"C:\ProgramData\XClient.exe"

C:\ProgramData\build.exe

"C:\ProgramData\build.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\browser.exe'"

C:\Users\Admin\AppData\Roaming\browser.exe

"C:\Users\Admin\AppData\Roaming\browser.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\browser.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'browser.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"

C:\Users\Admin\AppData\Local\Temp\mstc.exe

C:\Users\Admin\AppData\Local\Temp\mstc.exe

C:\Users\Admin\AppData\Local\Temp\mstc.exe

C:\Users\Admin\AppData\Local\Temp\mstc.exe

Network

Country Destination Domain Proto
NL 91.92.252.220:9078 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp
NL 91.92.252.220:9078 tcp

Files

memory/4412-0-0x00000000000E0000-0x0000000000118000-memory.dmp

memory/4412-3-0x00007FF868A90000-0x00007FF869552000-memory.dmp

C:\ProgramData\XClient.exe

MD5 5b7ac9829cdca0b5e82604191dcc1d4e
SHA1 5e944b6afea5db67b4d272a7b02bdf5501ca213f
SHA256 bc8306a6f60583de0b2a2818f1f9d1df8e80ef29dcf46b9471e4697f219e1251
SHA512 505491b019e948b14500867e927c9ab48642571733b944afc054922ed46a25eebbfae1615500e4755b0f022e5993cc4bd5124cf27c218a118070812e92bc1b33

C:\ProgramData\build.exe

MD5 d32bddd3639f42733a78945885002128
SHA1 6dcfc09b8c86e79ac70a63132a5162d3616c6479
SHA256 34dac9b900a3c810e466f9cac9ba5f0a062ff2be7719fc443cb23d0f8ac0390e
SHA512 b28fc39e77245d5a52ae5d25ac363c95db8b20a960caabc7aa4f3339b2a8d27f7f92846e2a4173fd0f776be4034fbfe5e60b375eebb465dbe78017d8479ad511

memory/2660-24-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/2660-26-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/4412-25-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/3348-29-0x00000000744C0000-0x0000000074C71000-memory.dmp

memory/3348-28-0x0000000000B10000-0x0000000000B2E000-memory.dmp

memory/3348-30-0x0000000005C00000-0x0000000006218000-memory.dmp

memory/3348-31-0x0000000005590000-0x00000000055A2000-memory.dmp

memory/3348-32-0x0000000005620000-0x000000000565C000-memory.dmp

memory/3348-33-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3348-34-0x0000000005660000-0x00000000056AC000-memory.dmp

memory/3348-35-0x00000000058A0000-0x00000000059AA000-memory.dmp

memory/2660-36-0x000000001B0C0000-0x000000001B0D0000-memory.dmp

memory/2352-37-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/2352-38-0x00000112B04E0000-0x00000112B04F0000-memory.dmp

memory/2352-39-0x00000112B04E0000-0x00000112B04F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3azhpllv.0bw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2352-42-0x00000112C8B90000-0x00000112C8BB2000-memory.dmp

memory/2352-51-0x00007FF868A90000-0x00007FF869552000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/4972-58-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/4972-59-0x0000023768F10000-0x0000023768F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

memory/4972-64-0x0000023768F10000-0x0000023768F20000-memory.dmp

memory/2660-65-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/4972-69-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/4972-68-0x0000023768F10000-0x0000023768F20000-memory.dmp

memory/3348-67-0x00000000744C0000-0x0000000074C71000-memory.dmp

memory/1568-78-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/1568-79-0x000002867F540000-0x000002867F550000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

memory/3348-82-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/1568-81-0x000002867F540000-0x000002867F550000-memory.dmp

memory/2660-83-0x000000001B0C0000-0x000000001B0D0000-memory.dmp

memory/1568-85-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/1064-95-0x0000019BB12E0000-0x0000019BB12F0000-memory.dmp

memory/1064-94-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/1064-96-0x0000019BB12E0000-0x0000019BB12F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1189a72e42e2321edf1ed3a8d5568687
SHA1 a2142fc754d6830de107d9d46f398483156f16a6
SHA256 009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512 b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

memory/1064-98-0x0000019BB12E0000-0x0000019BB12F0000-memory.dmp

memory/1064-100-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/2660-105-0x000000001CF50000-0x000000001D06E000-memory.dmp

memory/2660-144-0x000000001D270000-0x000000001D5C0000-memory.dmp

memory/2660-145-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

memory/2660-160-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/3800-159-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/3800-161-0x000000001B530000-0x000000001B540000-memory.dmp

memory/1592-162-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/1592-164-0x000001ED98C00000-0x000001ED98C10000-memory.dmp

memory/1592-163-0x000001ED98C00000-0x000001ED98C10000-memory.dmp

memory/1592-174-0x000001ED98C00000-0x000001ED98C10000-memory.dmp

memory/1592-176-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/5016-177-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/5016-178-0x00000216001F0000-0x0000021600200000-memory.dmp

memory/5016-179-0x00000216001F0000-0x0000021600200000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a7f03a7ad1cae046d8ceac04256e5ae
SHA1 ef0bf767c91cba32b33c0b48f74f5eb153ae43d3
SHA256 e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60
SHA512 382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

memory/5016-189-0x00000216001F0000-0x0000021600200000-memory.dmp

memory/5016-190-0x00000216001F0000-0x0000021600200000-memory.dmp

memory/5016-192-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/128-201-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/128-202-0x000002145B620000-0x000002145B630000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15cba9af0569043c070ef13f57e66645
SHA1 3d95c089505a02d4f68df724d1eeb150959bd4aa
SHA256 acd8646d89455f2a58f8565aed21a3523d4614bce8986e3d2f6d86334a443a17
SHA512 7aa7e2afcdee48bed8fd6913911420ee6772c0cf31c206d2f2b77e34f06d03b80ade4e9c691b0aed278276321be410475f74af966fde70e27ea6cb7a4630fdbe

memory/128-204-0x000002145B620000-0x000002145B630000-memory.dmp

memory/3800-205-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/128-206-0x000002145B620000-0x000002145B630000-memory.dmp

memory/128-208-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/3800-209-0x000000001B530000-0x000000001B540000-memory.dmp

memory/2756-215-0x00007FF868A90000-0x00007FF869552000-memory.dmp

memory/2756-219-0x00000222F8900000-0x00000222F8910000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa6b748cd8f3e3c0e41549529b919e21
SHA1 5a4b9721f9fb5042f6ef7afd698d5ac5216a88bb
SHA256 d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8
SHA512 361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534

memory/2756-221-0x00000222F8900000-0x00000222F8910000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk

MD5 621d7d1f292cc7cc954c1be9d3919e26
SHA1 f709611a510ee7dd387b133f833d117bd09cbfb0
SHA256 61eefc7b7f4c499d9c4b139edda5b5494f8b7b0af059d8ed9b46f7d2f74a25ca
SHA512 a7edf735f0c24d73e6df3f00f4d0021d0da0cc325ba74f39a99765557756378a7b4ccf656366ec7fdc8c32b9ce851ccbe62fa51791ad14f04d83da0cb683e949

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mstc.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9