milleniumrat | d89943cd164b8020c6524263625192dc0c0291eea871a427ea309f009cca30fc

General

Target

built-crypted.exe
Size

8.8MB
MD5

4ac9cec0cf0199ce79e3899a8d44db5b
SHA1

895da0ca4b3178037d53874d2298e22399e45b66
SHA256

d89943cd164b8020c6524263625192dc0c0291eea871a427ea309f009cca30fc
SHA512

1e5a6ba2ed32d21bc2c8f3568f3b405adb282c507924728943c8adf0f415663572c7e890dc27c4ca4964cbaeb26364f5553047ded3215fd2ecb5b14f68420be5
SSDEEP

196608:VL1FkRKr88QuE6QPB9MxtcnRNDqaSPiJmKRQMsyBVvB:hkco8BdQnMxKnrP01zyDvB

Score

10^/10

milleniumrat discovery persistence rat spyware stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat
Milleniumrat family
milleniumrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	built-crypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 1 IoCs

pid	Process
3148	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
4372	built-crypted.exe
3148	Update.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com
29	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2428	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3304	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3192	reg.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
4372	built-crypted.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe
3148	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	built-crypted.exe
Token: SeDebugPrivilege	2428	tasklist.exe
Token: SeDebugPrivilege	3148	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3148	Update.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 3348	4372	built-crypted.exe	84
PID 4372 wrote to memory of 3348	4372	built-crypted.exe	84
PID 3348 wrote to memory of 3868	3348	cmd.exe	86
PID 3348 wrote to memory of 3868	3348	cmd.exe	86
PID 3348 wrote to memory of 2428	3348	cmd.exe	87
PID 3348 wrote to memory of 2428	3348	cmd.exe	87
PID 3348 wrote to memory of 3444	3348	cmd.exe	88
PID 3348 wrote to memory of 3444	3348	cmd.exe	88
PID 3348 wrote to memory of 3304	3348	cmd.exe	91
PID 3348 wrote to memory of 3304	3348	cmd.exe	91
PID 3348 wrote to memory of 3148	3348	cmd.exe	92
PID 3348 wrote to memory of 3148	3348	cmd.exe	92
PID 3148 wrote to memory of 4092	3148	Update.exe	101
PID 3148 wrote to memory of 4092	3148	Update.exe	101
PID 4092 wrote to memory of 3192	4092	cmd.exe	103
PID 4092 wrote to memory of 3192	4092	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\built-crypted.exe
"C:\Users\Admin\AppData\Local\Temp\built-crypted.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3868
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4372"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3444
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3304
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.bat

Filesize
286B

MD5
d71d77a261d22b5e7026e73fc60da84e

SHA1
ff89d656caa174327bd180c8abe6be8f6b5ae634

SHA256
b3d0433eb4de561a73ee670a52671ab132de5a8ecd33214f780eb55368bae0f6

SHA512
54da88be842a3d52e0165ba1a7412bad37b18ccaace0388d72e73198e12e9f070d182f3a9dd2a2d557e61a4ec011ee81000d863d489425b48d4018c8c2fd3aa4

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
8.8MB

MD5
4ac9cec0cf0199ce79e3899a8d44db5b

SHA1
895da0ca4b3178037d53874d2298e22399e45b66

SHA256
d89943cd164b8020c6524263625192dc0c0291eea871a427ea309f009cca30fc

SHA512
1e5a6ba2ed32d21bc2c8f3568f3b405adb282c507924728943c8adf0f415663572c7e890dc27c4ca4964cbaeb26364f5553047ded3215fd2ecb5b14f68420be5

Download Submit
memory/3148-60-0x00007FF706B30000-0x00007FF70713A000-memory.dmp

Filesize
6.0MB

Download
memory/3148-54-0x000001CE74390000-0x000001CE743A2000-memory.dmp

Filesize
72KB

Download
memory/3148-35-0x000001CE76090000-0x000001CE763BE000-memory.dmp

Filesize
3.2MB

Download
memory/3148-34-0x000001CE74260000-0x000001CE74286000-memory.dmp

Filesize
152KB

Download
memory/3148-33-0x000001CE74330000-0x000001CE7436A000-memory.dmp

Filesize
232KB

Download
memory/3148-31-0x000001CE74300000-0x000001CE74322000-memory.dmp

Filesize
136KB

Download
memory/3148-30-0x000001CE742B0000-0x000001CE74300000-memory.dmp

Filesize
320KB

Download
memory/3148-29-0x000001CE741B0000-0x000001CE74262000-memory.dmp

Filesize
712KB

Download
memory/3148-27-0x000001CE74140000-0x000001CE741AA000-memory.dmp

Filesize
424KB

Download
memory/4372-9-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-10-0x00000252B2740000-0x00000252B275E000-memory.dmp

Filesize
120KB

Download
memory/4372-20-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-15-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-14-0x00007FFA71813000-0x00007FFA71815000-memory.dmp

Filesize
8KB

Download
memory/4372-13-0x00000252CAF40000-0x00000252CAF4A000-memory.dmp

Filesize
40KB

Download
memory/4372-12-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-19-0x00007FF6F5B50000-0x00007FF6F615A000-memory.dmp

Filesize
6.0MB

Download
memory/4372-11-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-0-0x00000252B0340000-0x00000252B08E5000-memory.dmp

Filesize
5.6MB

Download
memory/4372-8-0x00000252CAFC0000-0x00000252CB036000-memory.dmp

Filesize
472KB

Download
memory/4372-7-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-2-0x00000252CB4F0000-0x00000252CBA92000-memory.dmp

Filesize
5.6MB

Download
memory/4372-1-0x00007FFA71813000-0x00007FFA71815000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads