Analysis
-
max time kernel
24s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 15:12
Errors
Reason
Machine shutdown
General
-
Target
New-Client.exe
-
Size
28KB
-
MD5
2d0c62fc7cc0fcddec7cdfd2b4aacbd7
-
SHA1
6dab1f5cb32d4c3a5f8789b07f4c2930a49d1956
-
SHA256
d89a56bbfa46016796046572213f98af65abdd863fef32f8eaf50ace8fb1f921
-
SHA512
e48f0474c68674a4907f22f89f6a6f3f074128731e5ee453e3482d22851d567055b9b49fe21b30f9c1858fa2276ec5bd34a3abe8205c530550ff4a2ea9826e53
-
SSDEEP
384:0B+Sbj6NKSfa6JBAHNefWXqDpOinsmsDdvDKNrCeJE3WNgOT5E/JXr4CQro3lcTR:ypSS6JBwNOOism0d45NP5211wj
Malware Config
Extracted
Family
limerat
Attributes
-
aes_key
07903088
-
antivm
true
-
c2_url
https://pastebin.com/raw/J0uqtmU4
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
Family
limerat
Attributes
-
antivm
false
-
c2_url
https://pastebin.com/raw/J0uqtmU4
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 pastebin.com 26 pastebin.com -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4448 New-Client.exe 4448 New-Client.exe 4448 New-Client.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4448 New-Client.exe Token: SeDebugPrivilege 4448 New-Client.exe Token: SeShutdownPrivilege 3820 Shutdown.exe Token: SeRemoteShutdownPrivilege 3820 Shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3240 LogonUI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4448 wrote to memory of 3820 4448 New-Client.exe 94 PID 4448 wrote to memory of 3820 4448 New-Client.exe 94 PID 4448 wrote to memory of 3820 4448 New-Client.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\New-Client.exe"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Shutdown.exeShutdown /s /f /t 002⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b7855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3240