Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 11:44
Behavioral task
behavioral1
Sample
WinRAR.exe
Resource
win7-20240508-en
General
-
Target
WinRAR.exe
-
Size
28KB
-
MD5
1bb96e140f557472fc121bd147c7fef2
-
SHA1
f1dca9840d4619ed536c733e618f301748041f82
-
SHA256
47415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6
-
SHA512
8611b8a6a4eae862d412de1e13047b36cd9854bad75b1e8224a820f91630977908c9e560326da8a538dab097cf51b9407ed17a6050535df6ce98e8bd68b4a48d
-
SSDEEP
768:+pOL6TvwdHRv3Jx5LY45N6voFBANLM37/j:+pJvwdH93JjlWwFBA96
Malware Config
Extracted
limerat
-
aes_key
1111
-
antivm
true
-
c2_url
https://pastebin.com/raw/Qik1mEQY
-
delay
3
-
download_payload
false
-
install
true
-
install_name
WinRAR.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\System\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/Qik1mEQY
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2636 WinRAR.exe -
Loads dropped DLL 2 IoCs
pid Process 308 WinRAR.exe 308 WinRAR.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2744 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2636 WinRAR.exe Token: SeDebugPrivilege 2636 WinRAR.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 308 wrote to memory of 2744 308 WinRAR.exe 29 PID 308 wrote to memory of 2744 308 WinRAR.exe 29 PID 308 wrote to memory of 2744 308 WinRAR.exe 29 PID 308 wrote to memory of 2744 308 WinRAR.exe 29 PID 308 wrote to memory of 2636 308 WinRAR.exe 31 PID 308 wrote to memory of 2636 308 WinRAR.exe 31 PID 308 wrote to memory of 2636 308 WinRAR.exe 31 PID 308 wrote to memory of 2636 308 WinRAR.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\System\WinRAR.exe'"2⤵
- Creates scheduled task(s)
PID:2744
-
-
C:\Users\Admin\AppData\Roaming\System\WinRAR.exe"C:\Users\Admin\AppData\Roaming\System\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD51bb96e140f557472fc121bd147c7fef2
SHA1f1dca9840d4619ed536c733e618f301748041f82
SHA25647415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6
SHA5128611b8a6a4eae862d412de1e13047b36cd9854bad75b1e8224a820f91630977908c9e560326da8a538dab097cf51b9407ed17a6050535df6ce98e8bd68b4a48d