Analysis

  • max time kernel
    125s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 21:15

General

  • Target

    31d7267be9bea428656d5816407f54465874ab19412bb9fc9b6e9ff3ae071fcb.exe

  • Size

    886KB

  • MD5

    8b637ff4088420db4452d5520dbb5322

  • SHA1

    ff4f59e05fc12fcc63152865249fd2201234059c

  • SHA256

    31d7267be9bea428656d5816407f54465874ab19412bb9fc9b6e9ff3ae071fcb

  • SHA512

    865ad3eef1b9447a142f73918fdb124ceef16c2833ee0915f647d480031e6ce420bf019e94a9b44af693b8d54c7b818eeea5e9e4d8a7bf9e81f69b969a292f0a

  • SSDEEP

    24576:4RnVM8ucIfxiCYG1mfo/O91ewJEzJsUKkWHTUzBc790WdTfreNwqBcY1j:+CbqoCQ8dk

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    madziaq

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/wnVQqrBE

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/wnVQqrBE

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

  • Limerat family
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31d7267be9bea428656d5816407f54465874ab19412bb9fc9b6e9ff3ae071fcb.exe
    "C:\Users\Admin\AppData\Local\Temp\31d7267be9bea428656d5816407f54465874ab19412bb9fc9b6e9ff3ae071fcb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/464-44-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-8-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-2-0x00000000054A0000-0x00000000054DC000-memory.dmp

    Filesize

    240KB

  • memory/464-3-0x00000000054E0000-0x0000000005508000-memory.dmp

    Filesize

    160KB

  • memory/464-4-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

  • memory/464-5-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-42-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-68-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-73-0x0000000005550000-0x0000000005566000-memory.dmp

    Filesize

    88KB

  • memory/464-11-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-16-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-40-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-72-0x0000000005660000-0x00000000056FC000-memory.dmp

    Filesize

    624KB

  • memory/464-71-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

  • memory/464-66-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-64-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-62-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-58-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-57-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-54-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

    Filesize

    4KB

  • memory/464-50-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-48-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-46-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-52-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-1-0x0000000000AD0000-0x0000000000B9A000-memory.dmp

    Filesize

    808KB

  • memory/464-77-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

  • memory/464-38-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-36-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-32-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-30-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-26-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-25-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-22-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-20-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-18-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-15-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-12-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-6-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-60-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-34-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/464-28-0x00000000054E0000-0x0000000005501000-memory.dmp

    Filesize

    132KB

  • memory/4200-78-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/4200-76-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

  • memory/4200-79-0x00000000058B0000-0x0000000005916000-memory.dmp

    Filesize

    408KB

  • memory/4200-80-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

  • memory/4200-81-0x00000000064D0000-0x0000000006A74000-memory.dmp

    Filesize

    5.6MB

  • memory/4200-82-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB

  • memory/4200-83-0x00000000749F0000-0x00000000751A0000-memory.dmp

    Filesize

    7.7MB