Overview

overview

10

Static

static

10

PortFowarding.exe

windows11-21h2-x64

Analysis

  • max time kernel
    128s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/03/2025, 09:24

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    PortFowarding.exe

  • Size

    28KB

  • MD5

    61b1dac027f18514a7a0cc6c2475528c

  • SHA1

    6605992eb04bdaa3e6a5f94d5e4baf5b548ef548

  • SHA256

    e76749d70a685f5f5456ce90f223404e2b7f143544426f17610a2b020b721886

  • SHA512

    4007b1d52e4ffa2842a5490f5c564a8bc9e939c044cf1d6eee3295c87d9b1142057e366efb38de7d4c26af3bbf2090fbd701c2b40527187b3bb4b1b4b1435614

  • SSDEEP

    768:lpYK/6Dfw9Fj+ZySZl45NWi6KQlkB6Uyj:lpofw94Z9y6i9QlkMR

Score
10/10
limeratdiscoveryransomwarerat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    emhook123321

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/zVU0mnS4

  • delay

    15

  • download_payload

    false

  • install

    true

  • install_name

    svhost.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \Sys\

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Limerat family
    limerat
  • Renames multiple (1979) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PortFowarding.exe
    "C:\Users\Admin\AppData\Local\Temp\PortFowarding.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5580
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Sys\svhost.exe'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4812
    • C:\Users\Admin\AppData\Roaming\Sys\svhost.exe
      "C:\Users\Admin\AppData\Roaming\Sys\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\SysWOW64\Shutdown.exe
        Shutdown /s /f /t 00
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5856
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4444
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a33055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll
      Filesize

      558KB

      MD5

      800b2e2e9a914679e2339f9309a1b40b

      SHA1

      5b92fd87a896fdb6f39fd9361564a6587c270cd7

      SHA256

      3abfdbc83708f59c9ce89b91fec96379631f0f3dc76f3a9e76fed7d81a1d71a5

      SHA512

      8cc2426025e3365c019c57ef5b234165c55d757c49b5b7d4a02814101ddd1de81f1beb4587b3835f773dcc1246f21f6abb7305a34ade93b770e51bdbe7f315b9

      Download Submit

    • C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll
      Filesize

      95KB

      MD5

      38d2515b637f2360f6f7e3171f1e313f

      SHA1

      a625c7e07afca9da66adca65bc574cd8ae9a4b10

      SHA256

      6b75d7808d49ef94e35165126a74071f0d001989e5482c6ce2e36ac8997bb52e

      SHA512

      49c35ab93a5daa772b1f72580077537e935e04d7e445e00b7717d2df7b2dec1e9429097c6a92c285c6f51585c70c00873dd0fde7dad07545bf3c1c251d8b5e0e

      Download Submit

    • C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll
      Filesize

      36KB

      MD5

      87480d4739f44377f4cd59d0a6f16538

      SHA1

      e0f61ba426aaf89ac1a10e4d6b1240707adca7ca

      SHA256

      28574e2906db0bf472da4b2e80a1fee63ce70af632941f326a91d45843872d4f

      SHA512

      fb91ade2854577eb6e6f366544110e26b03c22e7d86c86a6e755ae89ba002968861f5cee002952d5d622068d20615911b71284c14a3421fb2cef421fcae81274

      Download Submit

    • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll
      Filesize

      1.8MB

      MD5

      c6b271bca8ebdf9b235ce7eb2d2fbc6b

      SHA1

      d779c1a18f15f51e81600caface4d85613270647

      SHA256

      c837850949f61db2a45a2e5ef48e219acc6e5425aa53465b11d230eb8ecce2f9

      SHA512

      f2b0bbf7d90ceee840ce1161c013386c1965e3552ea83c0cda401abdc8fac815c8bf0f2d5c6ee8183ae19d08f1ed933776f3b176e67b4dacf4235eec23735960

      Download Submit

    • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll
      Filesize

      4.7MB

      MD5

      0f5e7002ee121e54d52b0f6284dd0380

      SHA1

      40007e9148a31fc57cc27a526eba767fae188819

      SHA256

      30f9af312876ad0c7b654b306a2e35babe7a2e24bf9709e3703a977551cc3ab8

      SHA512

      98e29fc0ae81183b873bbc6fb5f424e8f24f50e162e349fd5f2bcba4ee144994a117e471e80dc0dececf10798546f8a71d809ccf1b5ef719f92990d11b94d709

      Download Submit

    • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll
      Filesize

      116KB

      MD5

      550de5f4ec89a1ff0e186404fa0bdd2a

      SHA1

      f40109411482128318949e89f639ce345591b605

      SHA256

      9d0aa419f6549abd6f6cb17be5bda860c4b09caa7698677eb163a02d8924c579

      SHA512

      5683f20b8f2ea4731156ac7792ecc96688c313902cc40011f7e1fbd49034f6ddf0b6c9b9e511a3fc6910b9279687a75dd215bce23f7dafa4dd75d6aa4d9b0947

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sys\svhost.exe
      Filesize

      28KB

      MD5

      61b1dac027f18514a7a0cc6c2475528c

      SHA1

      6605992eb04bdaa3e6a5f94d5e4baf5b548ef548

      SHA256

      e76749d70a685f5f5456ce90f223404e2b7f143544426f17610a2b020b721886

      SHA512

      4007b1d52e4ffa2842a5490f5c564a8bc9e939c044cf1d6eee3295c87d9b1142057e366efb38de7d4c26af3bbf2090fbd701c2b40527187b3bb4b1b4b1435614

      Download Submit

    • memory/4432-20-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4432-3754-0x0000000001120000-0x000000000112C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4432-17-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4432-18-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4432-19-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4432-3941-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4432-21-0x00000000071D0000-0x0000000007262000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4432-22-0x0000000000F00000-0x0000000000F6C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/4432-23-0x00000000077A0000-0x0000000007CCC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/5580-6-0x00000000061F0000-0x0000000006796000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5580-5-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5580-4-0x00000000053D0000-0x0000000005436000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5580-16-0x0000000074800000-0x0000000074FB1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5580-3-0x000000007480E000-0x000000007480F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5580-2-0x00000000052E0000-0x000000000537C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5580-1-0x0000000000880000-0x000000000088C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5580-0-0x000000007480E000-0x000000007480F000-memory.dmp

      Filesize

      4KB

      Download