Analysis Overview
SHA256
76ccff988772b8703f093376be4b17204eb75ea5c94bfd698a956d03623826e4
Threat Level: Known bad
The file Google.bin.zip was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Limerat family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-11 13:06
Signatures
Limerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 13:06
Reported
2024-05-11 13:12
Platform
win7-20240221-en
Max time kernel
297s
Max time network
302s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Google.exe
"C:\Users\Admin\AppData\Local\Temp\Google.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\system\Google.exe'"
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
"C:\Users\Admin\AppData\Local\Temp\system\Google.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp |
Files
memory/1932-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp
memory/1932-1-0x0000000000800000-0x000000000080E000-memory.dmp
\Users\Admin\AppData\Local\Temp\system\Google.exe
| MD5 | cc893a8b514d6874965dd29c0c473732 |
| SHA1 | 69f56d454e6facba1eadffbdc7c2bf826b01ceaf |
| SHA256 | 369caea879ce15a7146b74e59ac7e172faa742d053634bfa436637c150c0c85a |
| SHA512 | 9ce978051ec948e2178a2cbbaf3b72d8367b0b711772ab7c903c34362c0ad848d152fd73babdeca5b86a775460075f526e42ddd4a0062b7b0330b45d495ac9e9 |
memory/1932-11-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/2560-13-0x0000000000990000-0x000000000099E000-memory.dmp
memory/2560-14-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/1932-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/2560-16-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/2560-17-0x0000000073FF0000-0x00000000746DE000-memory.dmp
memory/2560-18-0x0000000073FF0000-0x00000000746DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 13:06
Reported
2024-05-11 13:12
Platform
win10-20240404-en
Max time kernel
297s
Max time network
299s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 420 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 420 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 420 wrote to memory of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 420 wrote to memory of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
| PID 420 wrote to memory of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
| PID 420 wrote to memory of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Google.exe
"C:\Users\Admin\AppData\Local\Temp\Google.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\system\Google.exe'"
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
"C:\Users\Admin\AppData\Local\Temp\system\Google.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp |
Files
memory/420-0-0x0000000073C0E000-0x0000000073C0F000-memory.dmp
memory/420-1-0x0000000000BB0000-0x0000000000BBE000-memory.dmp
memory/420-2-0x00000000053A0000-0x000000000543C000-memory.dmp
memory/420-3-0x0000000005440000-0x00000000054A6000-memory.dmp
memory/420-4-0x0000000073C00000-0x00000000742EE000-memory.dmp
memory/420-5-0x0000000005FA0000-0x000000000649E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
| MD5 | cc893a8b514d6874965dd29c0c473732 |
| SHA1 | 69f56d454e6facba1eadffbdc7c2bf826b01ceaf |
| SHA256 | 369caea879ce15a7146b74e59ac7e172faa742d053634bfa436637c150c0c85a |
| SHA512 | 9ce978051ec948e2178a2cbbaf3b72d8367b0b711772ab7c903c34362c0ad848d152fd73babdeca5b86a775460075f526e42ddd4a0062b7b0330b45d495ac9e9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google.exe.log
| MD5 | f49074d03bf7a1147e09523a879f96e5 |
| SHA1 | c0296087924e258a80bd85cc351370becde0d8cf |
| SHA256 | 6b2164baa4e0fe1e3b0fe1094483d2f28a73694e4b0e07c03a90b01ffe582c65 |
| SHA512 | bfbbd8881c2df740997613d08e8e582cd9788b91fbcc3c06c196c0acc1a20109cd94e987b8f08fd2fc396d377dd6d7dc4144877f996db2c7bd97ac0c9a300648 |
memory/4772-14-0x0000000073C00000-0x00000000742EE000-memory.dmp
memory/420-13-0x0000000073C00000-0x00000000742EE000-memory.dmp
memory/4772-15-0x0000000073C00000-0x00000000742EE000-memory.dmp
memory/4772-16-0x0000000073C00000-0x00000000742EE000-memory.dmp
memory/4772-17-0x0000000073C00000-0x00000000742EE000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-11 13:06
Reported
2024-05-11 13:12
Platform
win10v2004-20240426-en
Max time kernel
300s
Max time network
298s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Google.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 920 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 920 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 920 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 920 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
| PID 920 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
| PID 920 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Google.exe
"C:\Users\Admin\AppData\Local\Temp\Google.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\system\Google.exe'"
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
"C:\Users\Admin\AppData\Local\Temp\system\Google.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 52.111.227.11:443 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.89.179.10:443 | tcp |
Files
memory/920-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp
memory/920-1-0x0000000000C80000-0x0000000000C8E000-memory.dmp
memory/920-2-0x0000000005540000-0x00000000055DC000-memory.dmp
memory/920-3-0x0000000005650000-0x00000000056B6000-memory.dmp
memory/920-4-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/920-5-0x00000000061F0000-0x0000000006794000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
| MD5 | cc893a8b514d6874965dd29c0c473732 |
| SHA1 | 69f56d454e6facba1eadffbdc7c2bf826b01ceaf |
| SHA256 | 369caea879ce15a7146b74e59ac7e172faa742d053634bfa436637c150c0c85a |
| SHA512 | 9ce978051ec948e2178a2cbbaf3b72d8367b0b711772ab7c903c34362c0ad848d152fd73babdeca5b86a775460075f526e42ddd4a0062b7b0330b45d495ac9e9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google.exe.log
| MD5 | 8a1197be130e48aa5aeeafd43eb6bb9f |
| SHA1 | cb790c7c216e41524348eaa0e5b74926e78dbfc6 |
| SHA256 | 547474087ec8f71dfd32b76f9b74c86f9844addf5082df37562a2c2c0cae4bfb |
| SHA512 | 4ad9d8dbbc253c8d7b1c2b4ec5f115c770f02bdbbc21ca0b422e251a3a98331e169c5062cabf7da81d5ae0d295b3778ef105ef82709df1a4ace71be288b8f166 |
memory/4396-17-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/920-16-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4396-18-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4396-19-0x0000000074FA0000-0x0000000075750000-memory.dmp
memory/4396-20-0x0000000074FA0000-0x0000000075750000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-11 13:06
Reported
2024-05-11 13:12
Platform
win11-20240508-en
Max time kernel
298s
Max time network
300s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\system\Google.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 964 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3664 wrote to memory of 964 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3664 wrote to memory of 964 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3664 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
| PID 3664 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
| PID 3664 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\Google.exe | C:\Users\Admin\AppData\Local\Temp\system\Google.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Google.exe
"C:\Users\Admin\AppData\Local\Temp\Google.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\system\Google.exe'"
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
"C:\Users\Admin\AppData\Local\Temp\system\Google.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| N/A | 127.0.0.1:4577 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp | |
| N/A | 127.0.0.1:4577 | tcp |
Files
memory/3664-0-0x00000000751FE000-0x00000000751FF000-memory.dmp
memory/3664-1-0x00000000008A0000-0x00000000008AE000-memory.dmp
memory/3664-2-0x00000000052F0000-0x000000000538C000-memory.dmp
memory/3664-3-0x00000000053F0000-0x0000000005456000-memory.dmp
memory/3664-4-0x00000000751F0000-0x00000000759A1000-memory.dmp
memory/3664-5-0x0000000006110000-0x00000000066B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\system\Google.exe
| MD5 | cc893a8b514d6874965dd29c0c473732 |
| SHA1 | 69f56d454e6facba1eadffbdc7c2bf826b01ceaf |
| SHA256 | 369caea879ce15a7146b74e59ac7e172faa742d053634bfa436637c150c0c85a |
| SHA512 | 9ce978051ec948e2178a2cbbaf3b72d8367b0b711772ab7c903c34362c0ad848d152fd73babdeca5b86a775460075f526e42ddd4a0062b7b0330b45d495ac9e9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google.exe.log
| MD5 | cee382b44a0a258c801e5df212da62dd |
| SHA1 | 85bbc4b6608782987db1a61729e62ec4a7e69371 |
| SHA256 | 0bd749db0dc336f89c80dc04a6522df03c13bd3ca7ec1b5a54ab01413b6ad6c1 |
| SHA512 | 41cd658e569f09ab15c46cc716c576f6ef4862fba47547b09a8576ffd05009465973643c0a5a25d0801adc7be6ba6d3ef7d1e62d0b8a1f0823dfe80c17930dd8 |
memory/3200-16-0x00000000751F0000-0x00000000759A1000-memory.dmp
memory/3664-17-0x00000000751F0000-0x00000000759A1000-memory.dmp
memory/3200-18-0x00000000751F0000-0x00000000759A1000-memory.dmp
memory/3200-19-0x00000000751F0000-0x00000000759A1000-memory.dmp