milleniumrat | 9a09207752a0c69c07f5e9025d4be4837e42b92726668586e4d7cd838258327b

Resubmissions

01-03-2024 15:48

240301-s8texshf59 10

28-10-2023 08:48

231028-kqhlpshg43 10

Analysis

max time kernel
19s
max time network
24s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
01-03-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
Size

5.3MB
MD5

61938cbcbc6783b0bacce20cf948ebd0
SHA1

f558733723faedb7b91acb82a31932dad9b880c1
SHA256

9a09207752a0c69c07f5e9025d4be4837e42b92726668586e4d7cd838258327b
SHA512

fd7c276839edeb162f17955f8d6681be0c51ae9577756830105dbd93ba68453cf9d7f23fb8e562e6449fcbce72c739096ebd239ba75d3cb12681d26c9be96ef4
SSDEEP

98304:mYVEl27OuKr+gvhf2Z9Nzm31PMogNuSZTKA0t9FFPEzlkqXf0FKp806Ucn:mOXOuK6mq9NzgMoIbk9fcpkSIKpb6Ucn

Score

10^/10

milleniumrat persistence rat spyware stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Executes dropped EXE 1 IoCs

pid	Process
4540	Update.exe

Loads dropped DLL 4 IoCs

pid	Process
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4540	Update.exe
4540	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1992	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3372	tasklist.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
4648	reg.exe
1896	reg.exe
2308	reg.exe
404	reg.exe
4180	reg.exe
392	reg.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe
4540	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
Token: SeDebugPrivilege	3372	tasklist.exe
Token: SeDebugPrivilege	4540	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4540	Update.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4272	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe	82
PID 4836 wrote to memory of 4272	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe	82
PID 4836 wrote to memory of 4564	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe	84
PID 4836 wrote to memory of 4564	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe	84
PID 4836 wrote to memory of 4776	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe	86
PID 4836 wrote to memory of 4776	4836	NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe	86
PID 4272 wrote to memory of 404	4272	cmd.exe	88
PID 4272 wrote to memory of 404	4272	cmd.exe	88
PID 4564 wrote to memory of 2308	4564	cmd.exe	89
PID 4564 wrote to memory of 2308	4564	cmd.exe	89
PID 4776 wrote to memory of 3372	4776	cmd.exe	90
PID 4776 wrote to memory of 3372	4776	cmd.exe	90
PID 4776 wrote to memory of 3440	4776	cmd.exe	91
PID 4776 wrote to memory of 3440	4776	cmd.exe	91
PID 4776 wrote to memory of 1992	4776	cmd.exe	93
PID 4776 wrote to memory of 1992	4776	cmd.exe	93
PID 4776 wrote to memory of 4540	4776	cmd.exe	94
PID 4776 wrote to memory of 4540	4776	cmd.exe	94
PID 4540 wrote to memory of 1908	4540	Update.exe	95
PID 4540 wrote to memory of 1908	4540	Update.exe	95
PID 4540 wrote to memory of 2236	4540	Update.exe	96
PID 4540 wrote to memory of 2236	4540	Update.exe	96
PID 2236 wrote to memory of 392	2236	cmd.exe	99
PID 2236 wrote to memory of 392	2236	cmd.exe	99
PID 1908 wrote to memory of 4180	1908	cmd.exe	100
PID 1908 wrote to memory of 4180	1908	cmd.exe	100
PID 4540 wrote to memory of 1704	4540	Update.exe	101
PID 4540 wrote to memory of 1704	4540	Update.exe	101
PID 4540 wrote to memory of 3348	4540	Update.exe	103
PID 4540 wrote to memory of 3348	4540	Update.exe	103
PID 1704 wrote to memory of 4648	1704	cmd.exe	105
PID 1704 wrote to memory of 4648	1704	cmd.exe	105
PID 3348 wrote to memory of 1896	3348	cmd.exe	106
PID 3348 wrote to memory of 1896	3348	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.61938cbcbc6783b0bacce20cf948ebd0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /f
    3⤵
    - Modifies registry key
    PID:404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6169.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6169.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4836"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1992
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /f
        5⤵
        Modifies registry key
        
        PID:4180
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:392
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /f
        5⤵
        Modifies registry key
        
        PID:4648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\FA5FCDD5F58DD12E4C4C86CEAB16005F\64\sni.dll

Filesize
156KB

MD5
7f1799b65b98450a19e4d049e9d3e70d

SHA1
ec80c5a33374423a9e986c383a36a97da70a3584

SHA256
68705c4ef9ab818f2956a78e05f3fefce501a1448793b073b46110beb49b47d6

SHA512
8d67297c5cded487c88fcaad5a36e80926dad8f1863e38f397751056f51258ac7b5a9e5c09c01bba7a224f38fb2ee719586faf0ba81516e05a19649eb09e7b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\FA5FCDD5F58DD12E4C4C86CEAB16005F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6169.tmp.bat

Filesize
305B

MD5
a85e1812d5fa338ce2a4d78a0ede5757

SHA1
715e0d49ddeea90d433a2a35973e550d39eaaa74

SHA256
8aa3616c31a3203384a715497148d71668c336bfc8c17f8b57f2fe8ea48888b0

SHA512
ef3283c29f4a04041cb6f256a21dc55f263013584894fb60c39d6ad46c7daea215b228624b6a22ebaa322968a018c70eb833a6fa655187b644a9fde880a634f9

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
704KB

MD5
55faaca44910e21a065b29a2ee4228d2

SHA1
517ad832c08b4a3e004af4e2d69c0137170e3a67

SHA256
e2205dbb3cfd64e966e262c666e2e9a5c26df5f367d8c0058ff4258ae2d65e5b

SHA512
495c6a49f43a130f2f05f39725dea1aa65d490ebbeea37f707021b03b075fd834fb2fe73056d25e2ba698b83abf80f040d99e2c054bf3edb28b5f3fa5027d86f

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
128KB

MD5
f7be0fb6d28b7ff70fb6caa38f0641fa

SHA1
25324d3320a5a223116a4ba145375a040e7b468a

SHA256
0c8d3a7a7f507755540f9e2c87edf01448d1e38bf34597cadf291138e072cb0d

SHA512
81004a01a9e6f75bebcc833a14a4db05ce080c41ca8d7627f71c9b1a20d3b772d45a210af84241f8859a4a2f1fc72cf0b8a8ceaf67c6fb626970cc1217a809ca

Download Submit
memory/4540-30-0x000001E1B57E0000-0x000001E1B581A000-memory.dmp

Filesize
232KB

Download
memory/4540-27-0x000001E1B56F0000-0x000001E1B575A000-memory.dmp

Filesize
424KB

Download
memory/4540-54-0x00007FF901E60000-0x00007FF902922000-memory.dmp

Filesize
10.8MB

Download
memory/4540-52-0x000001E19BEB0000-0x000001E19BEC0000-memory.dmp

Filesize
64KB

Download
memory/4540-49-0x000001E1B5840000-0x000001E1B5852000-memory.dmp

Filesize
72KB

Download
memory/4540-31-0x000001E1B57A0000-0x000001E1B57C6000-memory.dmp

Filesize
152KB

Download
memory/4540-20-0x00007FF901E60000-0x00007FF902922000-memory.dmp

Filesize
10.8MB

Download
memory/4540-25-0x000001E19BEB0000-0x000001E19BEC0000-memory.dmp

Filesize
64KB

Download
memory/4540-26-0x000001E1B5670000-0x000001E1B567A000-memory.dmp

Filesize
40KB

Download
memory/4836-9-0x00000203EC560000-0x00000203EC5D6000-memory.dmp

Filesize
472KB

Download
memory/4836-0-0x00000203EA290000-0x00000203EA7E0000-memory.dmp

Filesize
5.3MB

Download
memory/4836-1-0x00007FF901DB0000-0x00007FF902872000-memory.dmp

Filesize
10.8MB

Download
memory/4836-11-0x00000203EAC80000-0x00000203EAC9E000-memory.dmp

Filesize
120KB

Download
memory/4836-10-0x00000203ED0D0000-0x00000203ED0E0000-memory.dmp

Filesize
64KB

Download
memory/4836-15-0x00007FF901DB0000-0x00007FF902872000-memory.dmp

Filesize
10.8MB

Download