Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
main.exe
Resource
win11-20241007-en
General
-
Target
main.exe
-
Size
5.6MB
-
MD5
3d3c49dd5d13a242b436e0a065cd6837
-
SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b
-
SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
-
SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
SSDEEP
98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
Malware Config
Signatures
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Executes dropped EXE 1 IoCs
pid Process 2768 Update.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 main.exe 2768 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 10 raw.githubusercontent.com 6 raw.githubusercontent.com 7 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2720 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2804 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2692 reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2276 main.exe 2276 main.exe 2276 main.exe 2768 Update.exe 2768 Update.exe 2768 Update.exe 2768 Update.exe 2768 Update.exe 2768 Update.exe 2768 Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2276 main.exe Token: SeDebugPrivilege 2720 tasklist.exe Token: SeDebugPrivilege 2768 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 Update.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2664 2276 main.exe 32 PID 2276 wrote to memory of 2664 2276 main.exe 32 PID 2276 wrote to memory of 2664 2276 main.exe 32 PID 2664 wrote to memory of 2720 2664 cmd.exe 34 PID 2664 wrote to memory of 2720 2664 cmd.exe 34 PID 2664 wrote to memory of 2720 2664 cmd.exe 34 PID 2664 wrote to memory of 2772 2664 cmd.exe 35 PID 2664 wrote to memory of 2772 2664 cmd.exe 35 PID 2664 wrote to memory of 2772 2664 cmd.exe 35 PID 2664 wrote to memory of 2804 2664 cmd.exe 36 PID 2664 wrote to memory of 2804 2664 cmd.exe 36 PID 2664 wrote to memory of 2804 2664 cmd.exe 36 PID 2664 wrote to memory of 2768 2664 cmd.exe 37 PID 2664 wrote to memory of 2768 2664 cmd.exe 37 PID 2664 wrote to memory of 2768 2664 cmd.exe 37 PID 2768 wrote to memory of 2588 2768 Update.exe 38 PID 2768 wrote to memory of 2588 2768 Update.exe 38 PID 2768 wrote to memory of 2588 2768 Update.exe 38 PID 2588 wrote to memory of 2692 2588 cmd.exe 40 PID 2588 wrote to memory of 2692 2588 cmd.exe 40 PID 2588 wrote to memory of 2692 2588 cmd.exe 40 PID 2768 wrote to memory of 1240 2768 Update.exe 41 PID 2768 wrote to memory of 1240 2768 Update.exe 41 PID 2768 wrote to memory of 1240 2768 Update.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE263.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2276"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2772
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2804
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f4⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:2692
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2768 -s 18284⤵PID:1240
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD51bfc1ea8355e31e2704e2ccb0d20285c
SHA193bd6f6ebfeb10033859ec866a3129a397a154c5
SHA256712280053827c34b8ec0b08f7fe26b3afc08ef92785ff28496013d42bf874d81
SHA51278a6e4c78bc6318e1dd3b984fc3df01fc549f7d8e196e6bf89162b5d87dab3037ea2142f638cad3d3a8e20620d812f22b8cafdf594b1d4b0ca6ac9e37bfe7513
-
Filesize
5.6MB
MD53d3c49dd5d13a242b436e0a065cd6837
SHA1e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d