Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 12:11
Behavioral task
behavioral1
Sample
67071B5DA1FB59324066982123ED7F68.exe
Resource
win7-20231129-en
windows7-x64
4 signatures
150 seconds
General
-
Target
67071B5DA1FB59324066982123ED7F68.exe
-
Size
28KB
-
MD5
67071b5da1fb59324066982123ed7f68
-
SHA1
69dd9ef68544298fefc72ea1d9fbd363049d23b3
-
SHA256
d938672b5d4f3a25c48474597752ff5f8af36472802a2c6767b2e7dd18506c71
-
SHA512
7a9397b74550fe437849dbb88de5662e4750a96a07eff5684776c8f7400239419916770f158ebeab08c9b94bd6f8ed6c0e3bf80a6fbdfbc9db07ae2beb96122e
-
SSDEEP
384:eB+Sbj6NKWh8/6DfAH94WOqDiGyChhVX7xAvDKNrCeJE3WNgPQXZxx+Jjvf9/H2S:UpWK/6Dfw9OGyChhx7xu45NXGrdNpj
Malware Config
Extracted
Family
limerat
Attributes
-
aes_key
X9twY2806eGrw9+Sl098AQ==
-
antivm
false
-
c2_url
https://pastebin.com/raw/ZwyPz8sa
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
Family
limerat
Attributes
-
antivm
false
-
c2_url
https://pastebin.com/raw/ZwyPz8sa
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 15 0.tcp.eu.ngrok.io 17 0.tcp.eu.ngrok.io 4 pastebin.com 5 pastebin.com 13 0.tcp.eu.ngrok.io -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe 2512 67071B5DA1FB59324066982123ED7F68.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2512 67071B5DA1FB59324066982123ED7F68.exe Token: SeDebugPrivilege 2512 67071B5DA1FB59324066982123ED7F68.exe