Analysis
-
max time kernel
295s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-10-2024 13:41
General
-
Target
BlackHAT.exe
-
Size
51KB
-
MD5
d5700c41472c7b4520203ed24422cd86
-
SHA1
6abfc54feaab58a84810f1d1c63bd43b2d8a9192
-
SHA256
297c3bfe34c2c0e7babc29946ff38c985293f2eb0dad98836a5ac340d35c9a77
-
SHA512
46d6037e97bb2587906feaf6e2d20e3abb5b3dcc1bf55767c7976f24ee0da952e3c4b68b29d810901cdbcd6ceee7cd73884cc3dc1a45e2a98ae9d9010ead217d
-
SSDEEP
768:SpMN6RpwdiERAkXL45NyJuKn1pj8hhs1SDdxYu+h7yokbz:SpbpwdTn0ewKnHohm1SDdxYEokbz
Malware Config
Extracted
limerat
-
aes_key
123499
-
antivm
false
-
c2_url
https://pastebin.com/raw/zwppgXcp
-
delay
3
-
download_payload
false
-
install
true
-
install_name
WindowsServices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/zwppgXcp
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1744 WindowsServices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 1 pastebin.com 2 pastebin.com 3 0.tcp.ap.ngrok.io 19 0.tcp.ap.ngrok.io 44 0.tcp.ap.ngrok.io 61 0.tcp.ap.ngrok.io 77 0.tcp.ap.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackHAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsServices.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2916 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1744 WindowsServices.exe Token: SeDebugPrivilege 1744 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3800 wrote to memory of 2916 3800 BlackHAT.exe 73 PID 3800 wrote to memory of 2916 3800 BlackHAT.exe 73 PID 3800 wrote to memory of 2916 3800 BlackHAT.exe 73 PID 3800 wrote to memory of 1744 3800 BlackHAT.exe 75 PID 3800 wrote to memory of 1744 3800 BlackHAT.exe 75 PID 3800 wrote to memory of 1744 3800 BlackHAT.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlackHAT.exe"C:\Users\Admin\AppData\Local\Temp\BlackHAT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe'"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5d5700c41472c7b4520203ed24422cd86
SHA16abfc54feaab58a84810f1d1c63bd43b2d8a9192
SHA256297c3bfe34c2c0e7babc29946ff38c985293f2eb0dad98836a5ac340d35c9a77
SHA51246d6037e97bb2587906feaf6e2d20e3abb5b3dcc1bf55767c7976f24ee0da952e3c4b68b29d810901cdbcd6ceee7cd73884cc3dc1a45e2a98ae9d9010ead217d