Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 11:44
Behavioral task
behavioral1
Sample
WinRAR.exe
Resource
win7-20240508-en
General
-
Target
WinRAR.exe
-
Size
28KB
-
MD5
1bb96e140f557472fc121bd147c7fef2
-
SHA1
f1dca9840d4619ed536c733e618f301748041f82
-
SHA256
47415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6
-
SHA512
8611b8a6a4eae862d412de1e13047b36cd9854bad75b1e8224a820f91630977908c9e560326da8a538dab097cf51b9407ed17a6050535df6ce98e8bd68b4a48d
-
SSDEEP
768:+pOL6TvwdHRv3Jx5LY45N6voFBANLM37/j:+pJvwdH93JjlWwFBA96
Malware Config
Extracted
limerat
-
aes_key
1111
-
antivm
true
-
c2_url
https://pastebin.com/raw/Qik1mEQY
-
delay
3
-
download_payload
false
-
install
true
-
install_name
WinRAR.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\System\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/Qik1mEQY
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WinRAR.exe -
Executes dropped EXE 1 IoCs
pid Process 976 WinRAR.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 27 pastebin.com 29 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3228 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 976 WinRAR.exe Token: SeDebugPrivilege 976 WinRAR.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1988 wrote to memory of 3228 1988 WinRAR.exe 93 PID 1988 wrote to memory of 3228 1988 WinRAR.exe 93 PID 1988 wrote to memory of 3228 1988 WinRAR.exe 93 PID 1988 wrote to memory of 976 1988 WinRAR.exe 95 PID 1988 wrote to memory of 976 1988 WinRAR.exe 95 PID 1988 wrote to memory of 976 1988 WinRAR.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\System\WinRAR.exe'"2⤵
- Creates scheduled task(s)
PID:3228
-
-
C:\Users\Admin\AppData\Roaming\System\WinRAR.exe"C:\Users\Admin\AppData\Roaming\System\WinRAR.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
709B
MD58a1197be130e48aa5aeeafd43eb6bb9f
SHA1cb790c7c216e41524348eaa0e5b74926e78dbfc6
SHA256547474087ec8f71dfd32b76f9b74c86f9844addf5082df37562a2c2c0cae4bfb
SHA5124ad9d8dbbc253c8d7b1c2b4ec5f115c770f02bdbbc21ca0b422e251a3a98331e169c5062cabf7da81d5ae0d295b3778ef105ef82709df1a4ace71be288b8f166
-
Filesize
28KB
MD51bb96e140f557472fc121bd147c7fef2
SHA1f1dca9840d4619ed536c733e618f301748041f82
SHA25647415dc54f54a881e0fdd0c02c26b994cf881af13f849428153ae4e42bc12ed6
SHA5128611b8a6a4eae862d412de1e13047b36cd9854bad75b1e8224a820f91630977908c9e560326da8a538dab097cf51b9407ed17a6050535df6ce98e8bd68b4a48d