milleniumrat | 304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d

General

Target

304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
Size

5.7MB
MD5

4685cc14b573164de4fb91315a6411ce
SHA1

ef14eee56ac6aec9b7b0c6bb71a926cf75720cfd
SHA256

304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d
SHA512

850c5f86ca101ea63d005a04cba52336323c257d3bbc000e73cc6c5d115fb7da6372ccdcf265a76d8feb2322b412a320d031d9d66996ffcfed9d2c59b4e62686
SSDEEP

98304:3sl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6T:3POuK6mn9NzgMoYkSIvUcwti7TQlvcin

Score

10^/10

milleniumrat persistence rat stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Executes dropped EXE 1 IoCs

pid	Process
2924	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
2924	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2076	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2732	tasklist.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1692	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
2924	Update.exe
2924	Update.exe
2924	Update.exe
2924	Update.exe
2924	Update.exe
2924	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	2924	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2924	Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2860	1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe	29
PID 1928 wrote to memory of 2860	1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe	29
PID 1928 wrote to memory of 2860	1928	304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe	29
PID 2860 wrote to memory of 2732	2860	cmd.exe	31
PID 2860 wrote to memory of 2732	2860	cmd.exe	31
PID 2860 wrote to memory of 2732	2860	cmd.exe	31
PID 2860 wrote to memory of 2392	2860	cmd.exe	32
PID 2860 wrote to memory of 2392	2860	cmd.exe	32
PID 2860 wrote to memory of 2392	2860	cmd.exe	32
PID 2860 wrote to memory of 2076	2860	cmd.exe	33
PID 2860 wrote to memory of 2076	2860	cmd.exe	33
PID 2860 wrote to memory of 2076	2860	cmd.exe	33
PID 2860 wrote to memory of 2924	2860	cmd.exe	34
PID 2860 wrote to memory of 2924	2860	cmd.exe	34
PID 2860 wrote to memory of 2924	2860	cmd.exe	34
PID 2924 wrote to memory of 2456	2924	Update.exe	36
PID 2924 wrote to memory of 2456	2924	Update.exe	36
PID 2924 wrote to memory of 2456	2924	Update.exe	36
PID 2456 wrote to memory of 1692	2456	cmd.exe	37
PID 2456 wrote to memory of 1692	2456	cmd.exe	37
PID 2456 wrote to memory of 1692	2456	cmd.exe	37
PID 2924 wrote to memory of 2944	2924	Update.exe	38
PID 2924 wrote to memory of 2944	2924	Update.exe	38
PID 2924 wrote to memory of 2944	2924	Update.exe	38

C:\Users\Admin\AppData\Local\Temp\304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe
"C:\Users\Admin\AppData\Local\Temp\304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp317C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp317C.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1928"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2392
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2076
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1692
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2924 -s 1348
      4⤵
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp317C.tmp.bat

Filesize
256B

MD5
6ddfda0cd45f5bff89801f4e4f494552

SHA1
5f493ba3f4306dab5071361284c31a50ade3aa07

SHA256
ecdb33f4d2b6e9c2042ee8b610e1a5d8a6b5be296105d6bce0390aad1d8a76b1

SHA512
6296a5d85ec7e8d0fa179fbd109baf8faf5d1521531eae5271b7199c01c3ccbee2c6206b6a17b7850d7e55bce7ecd75742bfc53573af0dc4a18d78c667dc488e

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.7MB

MD5
4685cc14b573164de4fb91315a6411ce

SHA1
ef14eee56ac6aec9b7b0c6bb71a926cf75720cfd

SHA256
304ef66a063c8d7f349e1ccae332c3d0671e39923bdc6be1dd8e788255f9575d

SHA512
850c5f86ca101ea63d005a04cba52336323c257d3bbc000e73cc6c5d115fb7da6372ccdcf265a76d8feb2322b412a320d031d9d66996ffcfed9d2c59b4e62686

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.3MB

MD5
4d25d66a87237864c349a0270f74e633

SHA1
478c530a3a076db9e7ae513b03febf8ea92dcd0a

SHA256
11778a20806686af22d04bf5d978817c7441ed0c54c72390676a7643cd9e9012

SHA512
c70c342b1ca1e42f34a5ae06d4888a676d3ade827069f4fcacec159268c565a5fd54fc28bb1e98ecd426f2bbeb20eceaac9644f03d3d6e9d5ea1b56597ac380d

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
memory/1928-0-0x0000000000A70000-0x0000000001020000-memory.dmp

Filesize
5.7MB

Download
memory/1928-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1928-6-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1928-10-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-14-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2924-15-0x0000000000270000-0x0000000000820000-memory.dmp

Filesize
5.7MB

Download
memory/2924-18-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/2924-19-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads