Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 12:39
Static task
static1
Behavioral task
behavioral1
Sample
built.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
built.exe
Resource
win10v2004-20240802-en
General
-
Target
built.exe
-
Size
5.6MB
-
MD5
5480b8e0625d39560ae2bc4a329bd423
-
SHA1
eb3102cbc197dd4217c7d6efb73fb0bec6678410
-
SHA256
1b4e425b91b6469138cf882685b3c369e10d81b6ac3cbf46bc1e01dafac03c1a
-
SHA512
454271aa8d02427fadfb30c4874e6f293aa0e4f5ae4d008889d82bb5122b1c6352e7860600c8c051f76030437d91cdc5235a3158175dbad7343156264b3340a7
-
SSDEEP
98304:c24l27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:cYOuK6mn9NzgMoYkSIvUcwti7TQlvciE
Malware Config
Signatures
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Loads dropped DLL 1 IoCs
Processes:
built.exepid process 2124 built.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\built.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
built.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 built.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier built.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
built.exepid process 2124 built.exe 2124 built.exe 2124 built.exe 2124 built.exe 2124 built.exe 2124 built.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
built.exedescription pid process Token: SeDebugPrivilege 2124 built.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
built.exepid process 2124 built.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
built.execmd.exedescription pid process target process PID 2124 wrote to memory of 2884 2124 built.exe cmd.exe PID 2124 wrote to memory of 2884 2124 built.exe cmd.exe PID 2124 wrote to memory of 2884 2124 built.exe cmd.exe PID 2884 wrote to memory of 2732 2884 cmd.exe reg.exe PID 2884 wrote to memory of 2732 2884 cmd.exe reg.exe PID 2884 wrote to memory of 2732 2884 cmd.exe reg.exe PID 2124 wrote to memory of 2668 2124 built.exe WerFault.exe PID 2124 wrote to memory of 2668 2124 built.exe WerFault.exe PID 2124 wrote to memory of 2668 2124 built.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\built.exe"C:\Users\Admin\AppData\Local\Temp\built.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\built.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2732
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2124 -s 19922⤵PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d