Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-08-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
IDM Crack ver_rar.scr
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
IDM Crack ver_rar.scr
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
IDM Crack ver_rar.scr
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
IDM Crack ver_rar.scr
Resource
win11-20240802-en
General
-
Target
IDM Crack ver_rar.scr
-
Size
374KB
-
MD5
fb829a18b62699e01513a237707de26f
-
SHA1
b52801a885e81570724c681f639aba188e3241e2
-
SHA256
c80bc3e65ac5ef54a14ccd38165fdce161ca5caae8c2c0dbc17deb7134b177f2
-
SHA512
1fe630ae89e02243e2a595129c8763fbb1063491ee11c8ce7819eb37e88dc2fbf5ee6a780099341da8c75510131745db67a56cf6548e05096200cdeb001b9388
-
SSDEEP
6144:kcxBAVFqZOt58d2cBbz0tcyVPeqPRgetQjQCItnWUTusvy00uWiqNCf:L/AViOn84cBv0XWiQjQCItn/ouW9C
Malware Config
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/DDTVwwbu
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4880 winlogon.exe 3120 msedgeupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Local\\chrome.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Local\\chrome.exe" msedgeupdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 pastebin.com 2 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IDM Crack ver_rar.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msedgeupdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1196 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3120 msedgeupdate.exe Token: SeDebugPrivilege 3120 msedgeupdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4160 wrote to memory of 4880 4160 IDM Crack ver_rar.scr 82 PID 4160 wrote to memory of 4880 4160 IDM Crack ver_rar.scr 82 PID 4160 wrote to memory of 4880 4160 IDM Crack ver_rar.scr 82 PID 4880 wrote to memory of 1196 4880 winlogon.exe 84 PID 4880 wrote to memory of 1196 4880 winlogon.exe 84 PID 4880 wrote to memory of 1196 4880 winlogon.exe 84 PID 4880 wrote to memory of 3120 4880 winlogon.exe 86 PID 4880 wrote to memory of 3120 4880 winlogon.exe 86 PID 4880 wrote to memory of 3120 4880 winlogon.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\IDM Crack ver_rar.scr"C:\Users\Admin\AppData\Local\Temp\IDM Crack ver_rar.scr" /S1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\winlogon.exe"C:\Users\Admin\AppData\Local\winlogon.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Edge\msedgeupdate.exe'"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1196
-
-
C:\Users\Admin\AppData\Roaming\Edge\msedgeupdate.exe"C:\Users\Admin\AppData\Roaming\Edge\msedgeupdate.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD5d1f66cf79d708e8b7916c46ceced613c
SHA18704e6c27104c8344d0a97943777dfd574825bda
SHA2569eba4d4b7a922a73633eba001b3b60de23d7b9e15617a72db6e08687f4238cf7
SHA512cc58bb6a7de043d35e8cf5ef2bbdcae885558937bab43b81c4777da14a33d4540954ddb010a0b2e9e108d07f4122565dc25e033ff9074383f596a5995c3e4405
-
Filesize
374KB
MD5fb829a18b62699e01513a237707de26f
SHA1b52801a885e81570724c681f639aba188e3241e2
SHA256c80bc3e65ac5ef54a14ccd38165fdce161ca5caae8c2c0dbc17deb7134b177f2
SHA5121fe630ae89e02243e2a595129c8763fbb1063491ee11c8ce7819eb37e88dc2fbf5ee6a780099341da8c75510131745db67a56cf6548e05096200cdeb001b9388