milleniumrat | db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

conhost.exe
Size

5.6MB
MD5

731812403191b60503e017d88e23b1a3
SHA1

67e1c24ded75620181916dea9654eeddf4049525
SHA256

db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2
SHA512

1ae78e7d5e134d56ebbe9ec3e71bd7529aedbe5670a93b7728eca0aa482ac6688187884c5a61c2c8ef308acda555152d4d5cd2938d1cfa57303a8649803f01d5
SSDEEP

98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6m:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciK

Score

10^/10

milleniumrat persistence rat stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

conhost.exeUpdate.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid	Process
2088	Update.exe

Loads dropped DLL 2 IoCs

Processes:

conhost.exeUpdate.exe

pid	Process
4204	conhost.exe
2088	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
8	raw.githubusercontent.com
10	raw.githubusercontent.com
22	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2908	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
4924	tasklist.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4436	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exeUpdate.exe

pid	Process
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
4204	conhost.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe
2088	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

conhost.exetasklist.exeUpdate.exe

description	pid	Process
Token: SeDebugPrivilege	4204	conhost.exe
Token: SeDebugPrivilege	4924	tasklist.exe
Token: SeDebugPrivilege	2088	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid	Process
2088	Update.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

conhost.execmd.exeUpdate.execmd.exe

description	pid	Process	procid_target
PID 4204 wrote to memory of 512	4204	conhost.exe	85
PID 4204 wrote to memory of 512	4204	conhost.exe	85
PID 512 wrote to memory of 4924	512	cmd.exe	87
PID 512 wrote to memory of 4924	512	cmd.exe	87
PID 512 wrote to memory of 3188	512	cmd.exe	88
PID 512 wrote to memory of 3188	512	cmd.exe	88
PID 512 wrote to memory of 2908	512	cmd.exe	89
PID 512 wrote to memory of 2908	512	cmd.exe	89
PID 512 wrote to memory of 2088	512	cmd.exe	90
PID 512 wrote to memory of 2088	512	cmd.exe	90
PID 2088 wrote to memory of 1560	2088	Update.exe	92
PID 2088 wrote to memory of 1560	2088	Update.exe	92
PID 1560 wrote to memory of 4436	1560	cmd.exe	93
PID 1560 wrote to memory of 4436	1560	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5C97.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5C97.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4204"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3188
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2908
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C97.tmp.bat

Filesize
256B

MD5
8e8e47d3e5e8a0c6704ef4d9a1d57ae4

SHA1
a15e0c87feb0e7cfd7c63c05844713f2f6083e68

SHA256
0148648cd4dd8aefd87f4e85146fc4c4b62148e2f81e2fa0b773e67ce29a0a27

SHA512
57d5e7712cc73b27c77c98747ce6e19d23754d0122ad6d0ce41cef6f58c4b5b86c0902fd75dfb5c39ef0f53f1c5b50518e743f1543d83786e85813e7274b7aa4

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.6MB

MD5
731812403191b60503e017d88e23b1a3

SHA1
67e1c24ded75620181916dea9654eeddf4049525

SHA256
db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2

SHA512
1ae78e7d5e134d56ebbe9ec3e71bd7529aedbe5670a93b7728eca0aa482ac6688187884c5a61c2c8ef308acda555152d4d5cd2938d1cfa57303a8649803f01d5

Download Submit
memory/2088-22-0x00000202E1FD0000-0x00000202E1FE0000-memory.dmp

Filesize
64KB

Download
memory/2088-21-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-20-0x00000202E1FD0000-0x00000202E1FE0000-memory.dmp

Filesize
64KB

Download
memory/2088-17-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-6-0x0000022F430D0000-0x0000022F43146000-memory.dmp

Filesize
472KB

Download
memory/4204-12-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-8-0x0000022F29070000-0x0000022F2908E000-memory.dmp

Filesize
120KB

Download
memory/4204-7-0x0000022F43160000-0x0000022F43170000-memory.dmp

Filesize
64KB

Download
memory/4204-0-0x0000022F28690000-0x0000022F28C30000-memory.dmp

Filesize
5.6MB

Download
memory/4204-1-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

Filesize
10.8MB

Download