Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 17:47
Behavioral task
behavioral1
Sample
eb65dd5e10d4e6ef4dde08b94bde75a0N.exe
Resource
win7-20240708-en
General
-
Target
eb65dd5e10d4e6ef4dde08b94bde75a0N.exe
-
Size
28KB
-
MD5
eb65dd5e10d4e6ef4dde08b94bde75a0
-
SHA1
ed2cc4bd33c911e0f99e78fc91075cae1209b6d9
-
SHA256
d762f88a335c8b288c249af52c6da817907d0516ac0ad552eb1fec4026a909a3
-
SHA512
88bdd31888b4ce3862e1948ed9dc8e773c9fbabb383bf383f01f0017ae9105df0e323e11cde4906d128c577adc62e4ab896ef476c2914633e591e819f953862c
-
SSDEEP
384:AE0WnRVBLVAmtJpoIhfa/hJiYxJ20CnRGjlDFovDuNrCeJE3WN5igcJqdePLKhez:dpbEIhiJJF20CRGJJmk5NE7I0Dd6+Y
Malware Config
Extracted
limerat
3NyQXs1rAdaWtGUJixrgiuMMJe6eWi1Ydw
-
aes_key
MINOKO
-
antivm
true
-
c2_url
https://pastebin.com/raw/9J0FTCCj
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/9J0FTCCj
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation eb65dd5e10d4e6ef4dde08b94bde75a0N.exe -
Executes dropped EXE 1 IoCs
pid Process 4944 Wservices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 19 pastebin.com 50 pastebin.com 18 pastebin.com -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Wservices.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Wservices.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum eb65dd5e10d4e6ef4dde08b94bde75a0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb65dd5e10d4e6ef4dde08b94bde75a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Wservices.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3184 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4944 Wservices.exe Token: SeDebugPrivilege 4944 Wservices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1944 wrote to memory of 3184 1944 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe 99 PID 1944 wrote to memory of 3184 1944 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe 99 PID 1944 wrote to memory of 3184 1944 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe 99 PID 1944 wrote to memory of 4944 1944 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe 101 PID 1944 wrote to memory of 4944 1944 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe 101 PID 1944 wrote to memory of 4944 1944 eb65dd5e10d4e6ef4dde08b94bde75a0N.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb65dd5e10d4e6ef4dde08b94bde75a0N.exe"C:\Users\Admin\AppData\Local\Temp\eb65dd5e10d4e6ef4dde08b94bde75a0N.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\Wservices.exe"C:\Users\Admin\AppData\Local\Temp\Wservices.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:81⤵PID:948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5eb65dd5e10d4e6ef4dde08b94bde75a0
SHA1ed2cc4bd33c911e0f99e78fc91075cae1209b6d9
SHA256d762f88a335c8b288c249af52c6da817907d0516ac0ad552eb1fec4026a909a3
SHA51288bdd31888b4ce3862e1948ed9dc8e773c9fbabb383bf383f01f0017ae9105df0e323e11cde4906d128c577adc62e4ab896ef476c2914633e591e819f953862c