Analysis
-
max time kernel
38s -
max time network
167s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
Bank Millennium.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Bank Millennium.bin.exe
Resource
win10v20210410
General
-
Target
Bank Millennium.bin.exe
-
Size
85KB
-
MD5
e9a0412da07e244d2cf47c8edbdb9f24
-
SHA1
8ee7fe0ce62b889237033b236a50c0c3a478e58d
-
SHA256
e23af5d6048c8e86e22bd7117254d7f17bc97c24fe335ea3c411367bdd9953de
-
SHA512
801c1446e17793d8095ebdda54e90102d734717d60866d3e2703879dc5723445808b7ce943600393ee6d5cbdb8718776edeed1cff5d2bb15e8da1a748d117944
Malware Config
Extracted
warzonerat
185.157.160.215:2211
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1564-65-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1564-66-0x0000000000405CE2-mapping.dmp warzonerat behavioral1/memory/1564-68-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank Millennium.bin.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank Millennium.bin.exe cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank Millennium.bin.exedescription pid process target process PID 364 set thread context of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
Bank Millennium.bin.exepid process 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe 364 Bank Millennium.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Bank Millennium.bin.exedescription pid process Token: SeDebugPrivilege 364 Bank Millennium.bin.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Bank Millennium.bin.exedescription pid process target process PID 364 wrote to memory of 760 364 Bank Millennium.bin.exe cmd.exe PID 364 wrote to memory of 760 364 Bank Millennium.bin.exe cmd.exe PID 364 wrote to memory of 760 364 Bank Millennium.bin.exe cmd.exe PID 364 wrote to memory of 760 364 Bank Millennium.bin.exe cmd.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe PID 364 wrote to memory of 1564 364 Bank Millennium.bin.exe Bank Millennium.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Millennium.bin.exe"C:\Users\Admin\AppData\Local\Temp\Bank Millennium.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\Bank Millennium.bin.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank Millennium.bin.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Bank Millennium.bin.exe"C:\Users\Admin\AppData\Local\Temp\Bank Millennium.bin.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bank Millennium.bin.exeMD5
e9a0412da07e244d2cf47c8edbdb9f24
SHA18ee7fe0ce62b889237033b236a50c0c3a478e58d
SHA256e23af5d6048c8e86e22bd7117254d7f17bc97c24fe335ea3c411367bdd9953de
SHA512801c1446e17793d8095ebdda54e90102d734717d60866d3e2703879dc5723445808b7ce943600393ee6d5cbdb8718776edeed1cff5d2bb15e8da1a748d117944
-
memory/364-59-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/364-61-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/364-62-0x00000000020F0000-0x000000000213C000-memory.dmpFilesize
304KB
-
memory/760-63-0x0000000000000000-mapping.dmp
-
memory/1564-65-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1564-66-0x0000000000405CE2-mapping.dmp
-
memory/1564-67-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1564-68-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB