Analysis
-
max time kernel
30s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
built_(2)-crypted.exe
Resource
win10v2004-20241007-en
General
-
Target
built_(2)-crypted.exe
-
Size
5.7MB
-
MD5
1d77998bb32b6b4e87adeb7d28542c51
-
SHA1
ae392f64f73e9b21392f56e1c7f1968da9666979
-
SHA256
9ab8830c1b7528505b6c45002dfca7c2e02caf0d8d815e5d91eb4ffe0cbec32e
-
SHA512
598f410c1af94db7998ea42128b0f46fd08c5672ed8a2082d20b938d40a788df74139f641d4cdb601b3c40e5459c4af293742c3150099350462f9d13f8d613c9
-
SSDEEP
98304:Io/2m2FSt/pRdVbCIrvcLaYZhytyddAdkr/AB3yLakDO4XP2AQ5N3/MCJjq:r25F4bdkIDceYiUYKk9yNDO4XlQ59MCY
Malware Config
Signatures
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation built_(2)-crypted.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Update.exe -
Executes dropped EXE 1 IoCs
pid Process 2356 Update.exe -
Loads dropped DLL 2 IoCs
pid Process 4816 built_(2)-crypted.exe 2356 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 17 raw.githubusercontent.com 19 raw.githubusercontent.com 27 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4700 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language built_(2)-crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3324 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2440 reg.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 4816 built_(2)-crypted.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe 2356 Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4816 built_(2)-crypted.exe Token: SeDebugPrivilege 4700 tasklist.exe Token: SeDebugPrivilege 2356 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2356 Update.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4816 wrote to memory of 4640 4816 built_(2)-crypted.exe 91 PID 4816 wrote to memory of 4640 4816 built_(2)-crypted.exe 91 PID 4816 wrote to memory of 4640 4816 built_(2)-crypted.exe 91 PID 4640 wrote to memory of 4452 4640 cmd.exe 93 PID 4640 wrote to memory of 4452 4640 cmd.exe 93 PID 4640 wrote to memory of 4452 4640 cmd.exe 93 PID 4640 wrote to memory of 4700 4640 cmd.exe 94 PID 4640 wrote to memory of 4700 4640 cmd.exe 94 PID 4640 wrote to memory of 4700 4640 cmd.exe 94 PID 4640 wrote to memory of 408 4640 cmd.exe 95 PID 4640 wrote to memory of 408 4640 cmd.exe 95 PID 4640 wrote to memory of 408 4640 cmd.exe 95 PID 4640 wrote to memory of 3324 4640 cmd.exe 96 PID 4640 wrote to memory of 3324 4640 cmd.exe 96 PID 4640 wrote to memory of 3324 4640 cmd.exe 96 PID 4640 wrote to memory of 2356 4640 cmd.exe 99 PID 4640 wrote to memory of 2356 4640 cmd.exe 99 PID 4640 wrote to memory of 2356 4640 cmd.exe 99 PID 2356 wrote to memory of 1932 2356 Update.exe 105 PID 2356 wrote to memory of 1932 2356 Update.exe 105 PID 2356 wrote to memory of 1932 2356 Update.exe 105 PID 1932 wrote to memory of 2440 1932 cmd.exe 107 PID 1932 wrote to memory of 2440 1932 cmd.exe 107 PID 1932 wrote to memory of 2440 1932 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\built_(2)-crypted.exe"C:\Users\Admin\AppData\Local\Temp\built_(2)-crypted.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9625.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9625.tmp.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\SysWOW64\tasklist.exeTasklist /fi "PID eq 4816"3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\SysWOW64\find.exefind ":"3⤵
- System Location Discovery: System Language Discovery
PID:408
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 1 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3324
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
286B
MD53a31b9f425535e17cff4f19973121d87
SHA1d76955bd4bbfcc2bbeeb32899262434f427b969f
SHA256103acd764012b1179297b075d21ced19fe54e3985cf66358936dbe030c18d0d1
SHA512fa0fec15568273c308592f3afb70b3f6c5879fc662611bf2b1995994f5af5919de5c0cb362a4ce994604bff3a6af94f6ffb5bec7b4a92337cac92f28668edb6b
-
Filesize
5.7MB
MD51d77998bb32b6b4e87adeb7d28542c51
SHA1ae392f64f73e9b21392f56e1c7f1968da9666979
SHA2569ab8830c1b7528505b6c45002dfca7c2e02caf0d8d815e5d91eb4ffe0cbec32e
SHA512598f410c1af94db7998ea42128b0f46fd08c5672ed8a2082d20b938d40a788df74139f641d4cdb601b3c40e5459c4af293742c3150099350462f9d13f8d613c9