milleniumrat | 11e21fbd77f65c83f97c0c2b38c8cd394d5c96fe780188e5c94d400346b49798

General

Target

db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
Size

5.6MB
MD5

731812403191b60503e017d88e23b1a3
SHA1

67e1c24ded75620181916dea9654eeddf4049525
SHA256

db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2
SHA512

1ae78e7d5e134d56ebbe9ec3e71bd7529aedbe5670a93b7728eca0aa482ac6688187884c5a61c2c8ef308acda555152d4d5cd2938d1cfa57303a8649803f01d5
SSDEEP

98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6m:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciK

Score

10^/10

milleniumrat persistence rat stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Executes dropped EXE 1 IoCs

pid	Process
2576	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
2576	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2812	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2712	tasklist.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2756	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
2576	Update.exe
2576	Update.exe
2576	Update.exe
2576	Update.exe
2576	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
Token: SeDebugPrivilege	2712	tasklist.exe
Token: SeDebugPrivilege	2576	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	Update.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2608	2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe	29
PID 2856 wrote to memory of 2608	2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe	29
PID 2856 wrote to memory of 2608	2856	db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe	29
PID 2608 wrote to memory of 2712	2608	cmd.exe	31
PID 2608 wrote to memory of 2712	2608	cmd.exe	31
PID 2608 wrote to memory of 2712	2608	cmd.exe	31
PID 2608 wrote to memory of 2740	2608	cmd.exe	32
PID 2608 wrote to memory of 2740	2608	cmd.exe	32
PID 2608 wrote to memory of 2740	2608	cmd.exe	32
PID 2608 wrote to memory of 2812	2608	cmd.exe	33
PID 2608 wrote to memory of 2812	2608	cmd.exe	33
PID 2608 wrote to memory of 2812	2608	cmd.exe	33
PID 2608 wrote to memory of 2576	2608	cmd.exe	34
PID 2608 wrote to memory of 2576	2608	cmd.exe	34
PID 2608 wrote to memory of 2576	2608	cmd.exe	34
PID 2576 wrote to memory of 624	2576	Update.exe	35
PID 2576 wrote to memory of 624	2576	Update.exe	35
PID 2576 wrote to memory of 624	2576	Update.exe	35
PID 624 wrote to memory of 2756	624	cmd.exe	37
PID 624 wrote to memory of 2756	624	cmd.exe	37
PID 624 wrote to memory of 2756	624	cmd.exe	37
PID 2576 wrote to memory of 2924	2576	Update.exe	38
PID 2576 wrote to memory of 2924	2576	Update.exe	38
PID 2576 wrote to memory of 2924	2576	Update.exe	38

C:\Users\Admin\AppData\Local\Temp\db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
"C:\Users\Admin\AppData\Local\Temp\db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7A9C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7A9C.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2856"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2740
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2812
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2756
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2576 -s 1684
      4⤵
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
796KB

MD5
2959ebe37a3d40d41476fed4c258dde6

SHA1
4559d9bb42dfa054cc6381e96d933460a39c73a7

SHA256
e09682ae21edbfa085934504cf4419694b7c62421bfba6dd81e3e2aa1834654b

SHA512
7d36d13a457b31c2d3269e156dcd04eab101f5b3a13bddc0d1de14e2e5deafb2fab33e5c44747bdd288ab539e8b556ecd35a664b77c97ec63f1b16f04aaf7d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A9C.tmp.bat

Filesize
256B

MD5
31217e9d8b739714b69a1986fdb5778d

SHA1
bdb9a0c4447252dd4500981d2b4efdb47233c797

SHA256
d8b540f589ff06e332f5600fae9a94e71973431fbdfda0f16714c53a2547c2da

SHA512
6bb9ed74fd7fe861525820eea2812b2bd4aefdcee327f11b34d89bee522ff204fea9b5e412e4f4521ef784d9fb6d3f81af59628f5fb34122a5b9a10d0ff2e116

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
1.1MB

MD5
6a7e7f806c5fe4031f78c8f6e8fc2d92

SHA1
78bc1ce44d339fcf462c7f9fb40d4a3aed552365

SHA256
23162740d91412bff0b4b511053883a075ea52d7cef41fb0a8a706e7844840f5

SHA512
76da29c1a5def53c88b27673231efd3547f183ec2058bd50c4247ddb9d868e0f9d8af1acf33b14b2d84350ea5a8170a1bf9eda83c776991788651c3ed6a1741e

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
887KB

MD5
3191b83f79a52b3932c7cef34db4bbfe

SHA1
b1822ac52ba950a461febcacfdf79099263f0add

SHA256
55fe859530bafb7a8e4a51ca976d5554028fdfa4bc3a9a9878d0fc5f86fd38f0

SHA512
201b20bd14122a57f75af1ebd41bf434eeea4db47f2b7e1569c544427fe5328aa88f13da4f25473d46fb69da3fc6e18e3e480d3959ac5a9a63b8f4ac04e4368f

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
823KB

MD5
39385867e29289c2fee670972268817e

SHA1
f8d28b44245be48ce1edf927466655814628111b

SHA256
facaf084975e59273abd098c09af497802115e77d9e18d70953423f9d9b2118f

SHA512
342a3c73743573b0648f8fad6a105a1e452b64196e3150252d346b95c31d67a61d910c29067b93e76124d3bdf3baae7b5eaab39030b027925b659b2ccda892bb

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.2MB

MD5
bec9cba4193191e9f495c3f2801661bc

SHA1
88f952ac8e2f9971181f6e26395978df83dc7e47

SHA256
3bca9c9f50fc02445ef562a6d73f444385afd5a2b719f02bd742e6b9d2627d5a

SHA512
9c1321e57caa68525beed816589902179ccf3d7ba0fc7a3a7190a9c9fc7d7ead06a8d048c95d006fc0f8023050ba9fc4812b4970b32e65361365fd0ca5c424d6

Download Submit
memory/2576-14-0x000007FEF5110000-0x000007FEF5AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-17-0x000000001B520000-0x000000001B5A0000-memory.dmp

Filesize
512KB

Download
memory/2576-18-0x000007FEF5110000-0x000007FEF5AFC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-6-0x000000001B540000-0x000000001B5C0000-memory.dmp

Filesize
512KB

Download
memory/2856-9-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-0-0x0000000000F20000-0x00000000014C0000-memory.dmp

Filesize
5.6MB

Download
memory/2856-1-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads