Overview

overview

10

Static

static

3

Update.exe

windows7-x64

10

Update.exe

windows10-2004-x64

10

Update.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update.exe

  • Size

    5.6MB

  • MD5

    3d3c49dd5d13a242b436e0a065cd6837

  • SHA1

    e38a773ffa08452c449ca5a880d89cfad24b6f1b

  • SHA256

    e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

  • SHA512

    dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

  • SSDEEP

    98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY

Score
10/10
milleniumratdiscoverypersistenceratspywarestealer

Malware Config

Signatures

  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat
  • Milleniumrat family
    milleniumrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1732"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2888
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2740
        • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
          "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2312
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2908
            • C:\Windows\system32\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:2188
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2312 -s 1828
            4⤵
              PID:2600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpCEC4.tmp.bat
        Filesize

        256B

        MD5

        908ee73c85453eab2c4983049b2aafa6

        SHA1

        4e8700dbfaa4cf33c1950b768d73dede15c8b0d6

        SHA256

        f5e62a21cde4b154ab54b7c068ccc6a7745f1265eb2fe28848c8944821b834d8

        SHA512

        230b3e0af4e951f5bb95c2fdfff2df2d6295b50068dfc57a8eb65c43040621ec710053a81b29d36773c543de4e5d9a2d6d785541a19599ca8e65aa64b9c1c58a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        Filesize

        5.6MB

        MD5

        3d3c49dd5d13a242b436e0a065cd6837

        SHA1

        e38a773ffa08452c449ca5a880d89cfad24b6f1b

        SHA256

        e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

        SHA512

        dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

        Download Submit

      • \Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
        Filesize

        1.7MB

        MD5

        65ccd6ecb99899083d43f7c24eb8f869

        SHA1

        27037a9470cc5ed177c0b6688495f3a51996a023

        SHA256

        aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

        SHA512

        533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

        Download Submit

      • memory/1732-0-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1732-1-0x0000000000C00000-0x00000000011A0000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1732-6-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1732-9-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2312-14-0x00000000010E0000-0x0000000001680000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2312-17-0x000000001B3C0000-0x000000001B42A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2312-20-0x0000000000810000-0x0000000000835000-memory.dmp

        Filesize

        148KB

        Download