Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/11/2024, 14:16
Behavioral task
behavioral1
Sample
New-Client.exe
Resource
win7-20240903-en
General
-
Target
New-Client.exe
-
Size
28KB
-
MD5
42dd04b2c91e0b8c4b6c676c0bf067bc
-
SHA1
8fb5c885299eb1fb4c93e76cc7172058a347c48b
-
SHA256
18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3
-
SHA512
24cc5f837445c1ea3cb9c39f66186d2be23674444f6a46df296a4a0538aa5fa4bde6ad4251bc8adc74dfc5689576763e592d0713a303e8a2f7828b2bf4b34b2e
-
SSDEEP
384:GB+Sbj6NKsHU637AHteXnmqDvDj63XjUQvDKNrCeJE3WNgtTKNnqgqoXiuQro3li:8ps0637wtexv6nQe45NDNnhqVUIj
Malware Config
Extracted
limerat
-
aes_key
ponontop
-
antivm
false
-
c2_url
https://pastebin.com/raw/U06jyvTy
-
delay
3
-
download_payload
false
-
install
true
-
install_name
sus.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\sus\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/U06jyvTy
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Limerat family
-
Executes dropped EXE 1 IoCs
pid Process 2808 sus.exe -
Loads dropped DLL 2 IoCs
pid Process 1616 New-Client.exe 1616 New-Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New-Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sus.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe 2808 sus.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2808 sus.exe Token: SeDebugPrivilege 2808 sus.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1616 wrote to memory of 2752 1616 New-Client.exe 32 PID 1616 wrote to memory of 2752 1616 New-Client.exe 32 PID 1616 wrote to memory of 2752 1616 New-Client.exe 32 PID 1616 wrote to memory of 2752 1616 New-Client.exe 32 PID 1616 wrote to memory of 2808 1616 New-Client.exe 34 PID 1616 wrote to memory of 2808 1616 New-Client.exe 34 PID 1616 wrote to memory of 2808 1616 New-Client.exe 34 PID 1616 wrote to memory of 2808 1616 New-Client.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\New-Client.exe"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\sus\sus.exe'"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\sus\sus.exe"C:\Users\Admin\AppData\Roaming\sus\sus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD542dd04b2c91e0b8c4b6c676c0bf067bc
SHA18fb5c885299eb1fb4c93e76cc7172058a347c48b
SHA25618dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3
SHA51224cc5f837445c1ea3cb9c39f66186d2be23674444f6a46df296a4a0538aa5fa4bde6ad4251bc8adc74dfc5689576763e592d0713a303e8a2f7828b2bf4b34b2e