Overview

overview

10

Static

static

3

db874ae685...b2.exe

windows7-x64

10

db874ae685...b2.exe

windows10-2004-x64

10

Resubmissions

01-03-2024 15:41

240301-s46jpahe82 10

20-02-2024 02:32

240220-c1ct7sab38 10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2024 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe

  • Size

    5.6MB

  • MD5

    731812403191b60503e017d88e23b1a3

  • SHA1

    67e1c24ded75620181916dea9654eeddf4049525

  • SHA256

    db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2

  • SHA512

    1ae78e7d5e134d56ebbe9ec3e71bd7529aedbe5670a93b7728eca0aa482ac6688187884c5a61c2c8ef308acda555152d4d5cd2938d1cfa57303a8649803f01d5

  • SSDEEP

    98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6m:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciK

Score
10/10
milleniumratpersistenceratstealer

Malware Config

Signatures

  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe
    "C:\Users\Admin\AppData\Local\Temp\db874ae685d2bc4235b1213ec9d43d327c8d2bd12300bb0d78c9ce0a84c828b2.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp828E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp828E.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 2088"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:3516
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4940
        • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
          "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4556
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\system32\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
      Filesize

      1.7MB

      MD5

      65ccd6ecb99899083d43f7c24eb8f869

      SHA1

      27037a9470cc5ed177c0b6688495f3a51996a023

      SHA256

      aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

      SHA512

      533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp828E.tmp.bat
      Filesize

      256B

      MD5

      3eb690ca690c03dc67e02ccd216db36d

      SHA1

      4bddbabf7ba7cb4a35282255866124d871387bf0

      SHA256

      71f803827008f3948862e9aa86b98335a41a20eb9ad35bfccfcff1808e9bfef7

      SHA512

      f22e85c3ea2bc2725fe511f3cbd541330ea5b434fff5957f40f8871f2bbbfb0740aaaa7a7a6d00d9cf2bbb18ef02b9f64d6eeaf143d8d4dfc9a99c528f409d61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
      Filesize

      1.4MB

      MD5

      32766b3644e5648eac3cb3e490a3ac12

      SHA1

      8d8283e034bf10e71fc61cecf52a829cf25aa2e0

      SHA256

      443ae2916230264161c44d30c2ead07be4cb395e9137c9650cc63d2db7a899ad

      SHA512

      8fb94a3f345336f381129e1cfbeca9f8467949fd593360b0912df8ef827adace5f9322dbd97a0d90d29d288edf07748402810b549e6082e658a6e4f9274c7d80

      Download Submit

    • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
      Filesize

      896KB

      MD5

      ea7c3b637166567dad903baf077900b1

      SHA1

      fca3a65a3b5a5cb74a152f2c31d8932c33be1ebc

      SHA256

      a2479abcc63d8d451b1cf958c517c2681f3c26a45f2928c01053aed67961d5de

      SHA512

      d8120f4ad55f9de497f461cbee8a5a3d53263a8a5430ac23f8d5ec71e19d15350538e46529b508081ee4658f8cd64e4b89418adcbbd433009eeaa7417aba364a

      Download Submit

    • memory/2088-7-0x0000020DFC0B0000-0x0000020DFC0C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2088-8-0x0000020DFB6C0000-0x0000020DFB6DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2088-6-0x00007FF8064A0000-0x00007FF806F61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2088-13-0x00007FF8064A0000-0x00007FF806F61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2088-5-0x0000020DFBEE0000-0x0000020DFBF56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2088-0-0x0000020DF9420000-0x0000020DF99C0000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4556-17-0x00007FF8064A0000-0x00007FF806F61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4556-20-0x00000257B9C90000-0x00000257B9CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4556-21-0x00007FF8064A0000-0x00007FF806F61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4556-22-0x00000257B9C90000-0x00000257B9CA0000-memory.dmp

      Filesize

      64KB

      Download