milleniumrat | d89943cd164b8020c6524263625192dc0c0291eea871a427ea309f009cca30fc

General

Target

built-crypted.exe
Size

8.8MB
MD5

4ac9cec0cf0199ce79e3899a8d44db5b
SHA1

895da0ca4b3178037d53874d2298e22399e45b66
SHA256

d89943cd164b8020c6524263625192dc0c0291eea871a427ea309f009cca30fc
SHA512

1e5a6ba2ed32d21bc2c8f3568f3b405adb282c507924728943c8adf0f415663572c7e890dc27c4ca4964cbaeb26364f5553047ded3215fd2ecb5b14f68420be5
SSDEEP

196608:VL1FkRKr88QuE6QPB9MxtcnRNDqaSPiJmKRQMsyBVvB:hkco8BdQnMxKnrP01zyDvB

Score

10^/10

milleniumrat discovery persistence rat spyware stealer

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat
Milleniumrat family
milleniumrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	built-crypted.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	built-crypted.exe
1612	Update.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
20	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4072	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1472	timeout.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3308	reg.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
2228	built-crypted.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	built-crypted.exe
Token: SeDebugPrivilege	4072	tasklist.exe
Token: SeDebugPrivilege	1612	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	Update.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2916	2228	built-crypted.exe	83
PID 2228 wrote to memory of 2916	2228	built-crypted.exe	83
PID 2916 wrote to memory of 4748	2916	cmd.exe	85
PID 2916 wrote to memory of 4748	2916	cmd.exe	85
PID 2916 wrote to memory of 4072	2916	cmd.exe	86
PID 2916 wrote to memory of 4072	2916	cmd.exe	86
PID 2916 wrote to memory of 2584	2916	cmd.exe	87
PID 2916 wrote to memory of 2584	2916	cmd.exe	87
PID 2916 wrote to memory of 1472	2916	cmd.exe	90
PID 2916 wrote to memory of 1472	2916	cmd.exe	90
PID 2916 wrote to memory of 1612	2916	cmd.exe	91
PID 2916 wrote to memory of 1612	2916	cmd.exe	91
PID 1612 wrote to memory of 3520	1612	Update.exe	93
PID 1612 wrote to memory of 3520	1612	Update.exe	93
PID 3520 wrote to memory of 3308	3520	cmd.exe	95
PID 3520 wrote to memory of 3308	3520	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\built-crypted.exe
"C:\Users\Admin\AppData\Local\Temp\built-crypted.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4748
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2228"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2584
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1472
- - C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
    "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC6C.tmp.bat

Filesize
286B

MD5
99adfce5f7acf55e879bc7d44619fac2

SHA1
17ee60ba940e17d130dc90d4391081a0f3708483

SHA256
623886f7dc9c798ba35ff4d58a5b7efc88855eb8f95a3ba49e564689f473a789

SHA512
2b541e6d0c6a57ef06a77c2e36f4e6b8ec83a92114330c7630fb0aea6ec5e368953a77939579b57d215766594faa1ec37c9d2b2645ac728af4f4d6fa4ebac600

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
8.8MB

MD5
4ac9cec0cf0199ce79e3899a8d44db5b

SHA1
895da0ca4b3178037d53874d2298e22399e45b66

SHA256
d89943cd164b8020c6524263625192dc0c0291eea871a427ea309f009cca30fc

SHA512
1e5a6ba2ed32d21bc2c8f3568f3b405adb282c507924728943c8adf0f415663572c7e890dc27c4ca4964cbaeb26364f5553047ded3215fd2ecb5b14f68420be5

Download Submit
memory/1612-58-0x00007FF6B3CB0000-0x00007FF6B42BA000-memory.dmp

Filesize
6.0MB

Download
memory/1612-52-0x00000179F9120000-0x00000179F9132000-memory.dmp

Filesize
72KB

Download
memory/1612-33-0x00000179FB720000-0x00000179FBA4E000-memory.dmp

Filesize
3.2MB

Download
memory/1612-32-0x00000179F8F90000-0x00000179F8FB6000-memory.dmp

Filesize
152KB

Download
memory/1612-31-0x00000179F9160000-0x00000179F919A000-memory.dmp

Filesize
232KB

Download
memory/1612-29-0x00000179F9080000-0x00000179F90A2000-memory.dmp

Filesize
136KB

Download
memory/1612-28-0x00000179F90D0000-0x00000179F9120000-memory.dmp

Filesize
320KB

Download
memory/1612-27-0x00000179F8FD0000-0x00000179F9082000-memory.dmp

Filesize
712KB

Download
memory/1612-25-0x00000179F8F20000-0x00000179F8F8A000-memory.dmp

Filesize
424KB

Download
memory/2228-9-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2228-18-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2228-17-0x00007FF7FC540000-0x00007FF7FCB4A000-memory.dmp

Filesize
6.0MB

Download
memory/2228-13-0x000001F96CB90000-0x000001F96CB9A000-memory.dmp

Filesize
40KB

Download
memory/2228-12-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2228-11-0x000001F96CB70000-0x000001F96CB8E000-memory.dmp

Filesize
120KB

Download
memory/2228-10-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2228-0-0x000001F96A720000-0x000001F96ACC5000-memory.dmp

Filesize
5.6MB

Download
memory/2228-8-0x000001F96D3A0000-0x000001F96D416000-memory.dmp

Filesize
472KB

Download
memory/2228-7-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2228-2-0x000001F96DAB0000-0x000001F96E052000-memory.dmp

Filesize
5.6MB

Download
memory/2228-1-0x00007FFBC48C3000-0x00007FFBC48C5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads