General
-
Target
new.exe
-
Size
45KB
-
Sample
240929-yf2tgs1erb
-
MD5
078f1a2a913ba70371d443044db7cc40
-
SHA1
44010076b38bec2436aa1b853a9670090852744a
-
SHA256
413fe778ab59f6f665df797beb735c0fcd5b43ef69c24095114284c65a257d17
-
SHA512
5d541ba26857f1d6c94a74aa66452b9471b516dc3db08e185774a6e4058f6a727a803872e9e1bc9586ac50f3abcb762fc3c28598c785e6ec441fb8da2e725e8e
-
SSDEEP
768:Tzl6vbR77QVBgqtpYhoQWxZIiqBXWPXCN8z5us0BOHtokRCvM+T+rU0mdId1/:3UbR7IDmJBXWJ51nHtokRcM+u5H/
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win10-20240404-en
Malware Config
Extracted
limerat
-
aes_key
123499
-
antivm
false
-
c2_url
https://pastebin.com/raw/ZJ0Dhft2
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/ZJ0Dhft2
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
new.exe
-
Size
45KB
-
MD5
078f1a2a913ba70371d443044db7cc40
-
SHA1
44010076b38bec2436aa1b853a9670090852744a
-
SHA256
413fe778ab59f6f665df797beb735c0fcd5b43ef69c24095114284c65a257d17
-
SHA512
5d541ba26857f1d6c94a74aa66452b9471b516dc3db08e185774a6e4058f6a727a803872e9e1bc9586ac50f3abcb762fc3c28598c785e6ec441fb8da2e725e8e
-
SSDEEP
768:Tzl6vbR77QVBgqtpYhoQWxZIiqBXWPXCN8z5us0BOHtokRCvM+T+rU0mdId1/:3UbR7IDmJBXWJ51nHtokRcM+u5H/
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1