General
-
Target
New Text Document.txt
-
Size
257B
-
Sample
240508-sfxlwace47
-
MD5
b5c3b46dfdcee6ea4117fda406db0264
-
SHA1
0e2f711bedf7b0f95b001cbf98b6e46300443013
-
SHA256
9b46735c2fa7bf33c94b2b14734eee1c17655e25e5e6088b782815c1b985e452
-
SHA512
d1000229a49110ae83622416bd16983c8e6a8ecbd9ec5f66c6f7d06713463f473ec90b9f4f684a54f710a562143d319c1b31dcc7dded0c797c98f2d7a8e88310
Malware Config
Targets
-
-
Target
New Text Document.txt
-
Size
257B
-
MD5
b5c3b46dfdcee6ea4117fda406db0264
-
SHA1
0e2f711bedf7b0f95b001cbf98b6e46300443013
-
SHA256
9b46735c2fa7bf33c94b2b14734eee1c17655e25e5e6088b782815c1b985e452
-
SHA512
d1000229a49110ae83622416bd16983c8e6a8ecbd9ec5f66c6f7d06713463f473ec90b9f4f684a54f710a562143d319c1b31dcc7dded0c797c98f2d7a8e88310
Score10/10-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Contacts a large (77172) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Mark of the Web detected: This indicates that the page was originally saved or cloned.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Scheduled Task/Job
1Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1