milleniumrat | 304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d

General

Target

304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
Size

5.7MB
MD5

4685cc14b573164de4fb91315a6411ce
SHA1

ef14eee56ac6aec9b7b0c6bb71a926cf75720cfd
SHA256

304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d
SHA512

850c5f86ca101ea63d005a04cba52336323c257d3bbc000e73cc6c5d115fb7da6372ccdcf265a76d8feb2322b412a320d031d9d66996ffcfed9d2c59b4e62686
SSDEEP

98304:3sl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6T:3POuK6mn9NzgMoYkSIvUcwti7TQlvcin

Score

10^/10

milleniumrat persistence rat stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Executes dropped EXE 1 IoCs

pid	Process
2612	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
2612	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2528	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2996	tasklist.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2932	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
2612	Update.exe
2612	Update.exe
2612	Update.exe
2612	Update.exe
2612	Update.exe
2612	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	2612	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 3024	2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe	29
PID 2692 wrote to memory of 3024	2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe	29
PID 2692 wrote to memory of 3024	2692	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe	29
PID 3024 wrote to memory of 2996	3024	cmd.exe	32
PID 3024 wrote to memory of 2996	3024	cmd.exe	32
PID 3024 wrote to memory of 2996	3024	cmd.exe	32
PID 3024 wrote to memory of 2984	3024	cmd.exe	31
PID 3024 wrote to memory of 2984	3024	cmd.exe	31
PID 3024 wrote to memory of 2984	3024	cmd.exe	31
PID 3024 wrote to memory of 2528	3024	cmd.exe	33
PID 3024 wrote to memory of 2528	3024	cmd.exe	33
PID 3024 wrote to memory of 2528	3024	cmd.exe	33
PID 3024 wrote to memory of 2612	3024	cmd.exe	34
PID 3024 wrote to memory of 2612	3024	cmd.exe	34
PID 3024 wrote to memory of 2612	3024	cmd.exe	34
PID 2612 wrote to memory of 2856	2612	Update.exe	35
PID 2612 wrote to memory of 2856	2612	Update.exe	35
PID 2612 wrote to memory of 2856	2612	Update.exe	35
PID 2856 wrote to memory of 2932	2856	cmd.exe	37
PID 2856 wrote to memory of 2932	2856	cmd.exe	37
PID 2856 wrote to memory of 2932	2856	cmd.exe	37
PID 2612 wrote to memory of 2968	2612	Update.exe	38
PID 2612 wrote to memory of 2968	2612	Update.exe	38
PID 2612 wrote to memory of 2968	2612	Update.exe	38

C:\Users\Admin\AppData\Local\Temp\304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
"C:\Users\Admin\AppData\Local\Temp\304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2984
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2692"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2528
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2932
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2612 -s 1576
      4⤵
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp.bat

Filesize
256B

MD5
0b8004c7b1bd397e1b33f8217b4ef17a

SHA1
3c19f54df27cae0787f8456f05a44e626dd745ec

SHA256
ce6b24f9f66ac7564d7a360e9d3260d5b1ca9514e808728a88c04687a8aa8126

SHA512
6bca49d27dd06546195d007c50d6da9e5455b302b3affbeceabede820296f744a20ed43d082a6635aa872d2920319277a2e1a812e1cec4d0a486d72058e5d5ce

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.7MB

MD5
4685cc14b573164de4fb91315a6411ce

SHA1
ef14eee56ac6aec9b7b0c6bb71a926cf75720cfd

SHA256
304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d

SHA512
850c5f86ca101ea63d005a04cba52336323c257d3bbc000e73cc6c5d115fb7da6372ccdcf265a76d8feb2322b412a320d031d9d66996ffcfed9d2c59b4e62686

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/2612-14-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-15-0x00000000002E0000-0x0000000000890000-memory.dmp

Filesize
5.7MB

Download
memory/2612-18-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/2612-19-0x000007FEF50A0000-0x000007FEF5A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-0-0x0000000001330000-0x00000000018E0000-memory.dmp

Filesize
5.7MB

Download
memory/2692-1-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-6-0x000000001B4B0000-0x000000001B530000-memory.dmp

Filesize
512KB

Download
memory/2692-10-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads