Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
Update.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Update.exe
Resource
win10v2004-20241007-en
General
-
Target
Update.exe
-
Size
5.6MB
-
MD5
f668e23b162b29408d106d7e33026df4
-
SHA1
f3a67a810ab1b737c3f63ee9556feee17516a6dc
-
SHA256
982007b8100703183c8b4715a57be7129a3b6c695ff971afedfaf3cdef509e7c
-
SHA512
bcda79e81dfcdd017b06137c7f6b8286492b161f6b7bf028c60e28481160120f695e1351d2ba0b967e3468e13e39388b539623d17ee734b2d5ba46db1da550bf
-
SSDEEP
98304:jitl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Uc:jzOuK6mn9NzgMoYkSIvUcwti7TQlvciE
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8120686609:AAFFbHJYN8XNfebk9woXGBYglnP_6w4ugW0/sendDocument?chat_id=-4597951127&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot8120686609:AAFFbHJYN8XNfebk9woXGBYglnP_6w4ugW0/sendMessage?chat_id=-4597951127
https://api.telegram.org/bot8120686609:AAFFbHJYN8XNfebk9woXGBYglnP_6w4ugW0/getUpdates?offset=-
https://api.telegram.org/bot8120686609:AAFFbHJYN8XNfebk9woXGBYglnP_6w4ugW0/sendDocument?chat_id=-4597951127&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Gurcu family
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Update.exe -
Executes dropped EXE 1 IoCs
pid Process 4616 Update.exe -
Loads dropped DLL 2 IoCs
pid Process 2156 Update.exe 4616 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 9 raw.githubusercontent.com 10 raw.githubusercontent.com 20 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1468 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4316 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3488 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 2156 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe 4616 Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2156 Update.exe Token: SeDebugPrivilege 1468 tasklist.exe Token: SeDebugPrivilege 4616 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4616 Update.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2156 wrote to memory of 3280 2156 Update.exe 93 PID 2156 wrote to memory of 3280 2156 Update.exe 93 PID 3280 wrote to memory of 2600 3280 cmd.exe 95 PID 3280 wrote to memory of 2600 3280 cmd.exe 95 PID 3280 wrote to memory of 1468 3280 cmd.exe 97 PID 3280 wrote to memory of 1468 3280 cmd.exe 97 PID 3280 wrote to memory of 4184 3280 cmd.exe 98 PID 3280 wrote to memory of 4184 3280 cmd.exe 98 PID 3280 wrote to memory of 4316 3280 cmd.exe 100 PID 3280 wrote to memory of 4316 3280 cmd.exe 100 PID 3280 wrote to memory of 4616 3280 cmd.exe 101 PID 3280 wrote to memory of 4616 3280 cmd.exe 101 PID 4616 wrote to memory of 4548 4616 Update.exe 107 PID 4616 wrote to memory of 4548 4616 Update.exe 107 PID 4548 wrote to memory of 3488 4548 cmd.exe 109 PID 4548 wrote to memory of 3488 4548 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD9E5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD9E5.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2600
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2156"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:4184
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4316
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f4⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:3488
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD583c6657d5c97604293de3be7cb049812
SHA1049e9604e0dab53524bdbdb9459f6026df675468
SHA256cc0829436efefdd39837147e213e968d549f35faa2e519e0a038731e4711368a
SHA5126a814aeb121606355776d864f41dc62a311a151a33eff8593a24dc0748f86519f4f9391525d1eb3d161d3f976dda3470d5c2c2abd63d888b36c0b3822c91a9f5
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
286B
MD5bb9e8fae86d3417f63e2eb5fa0d788a8
SHA120f38731ce0496742cb23da6943ab50b9f07a870
SHA256ce76da5840b492537fa3fbdbf79435c731ab1c19933916728bae9b7860a05204
SHA512988d8a3f078012201566095cddc0e411fab52ff539b3e575c5f31f28412daf30d7cbbc4454dbc8b0e5628d2cbfd068c3f4f162e5fcf6a8a58178c913c902022c
-
Filesize
5.6MB
MD5f668e23b162b29408d106d7e33026df4
SHA1f3a67a810ab1b737c3f63ee9556feee17516a6dc
SHA256982007b8100703183c8b4715a57be7129a3b6c695ff971afedfaf3cdef509e7c
SHA512bcda79e81dfcdd017b06137c7f6b8286492b161f6b7bf028c60e28481160120f695e1351d2ba0b967e3468e13e39388b539623d17ee734b2d5ba46db1da550bf