Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 12:06
Static task
static1
Behavioral task
behavioral1
Sample
a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
Resource
win7-20241023-en
General
-
Target
a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
-
Size
5.6MB
-
MD5
1d0701d8fdc16df25fa0249b59aab042
-
SHA1
6028426f7e0a712a1aeae28d986337aafae26abe
-
SHA256
a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
-
SHA512
f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17
-
SSDEEP
98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendMessage?chat_id=7538374929
https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/getUpdates?offset=-
https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Gurcu family
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 Regkey.exe -
Loads dropped DLL 2 IoCs
pid Process 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 2064 Regkey.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 13 raw.githubusercontent.com 21 raw.githubusercontent.com 11 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4944 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Regkey.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Regkey.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2772 timeout.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe 2064 Regkey.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe Token: SeDebugPrivilege 4944 tasklist.exe Token: SeDebugPrivilege 2064 Regkey.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2064 Regkey.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3156 wrote to memory of 2468 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 82 PID 3156 wrote to memory of 2468 3156 a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe 82 PID 2468 wrote to memory of 2580 2468 cmd.exe 84 PID 2468 wrote to memory of 2580 2468 cmd.exe 84 PID 2468 wrote to memory of 4944 2468 cmd.exe 85 PID 2468 wrote to memory of 4944 2468 cmd.exe 85 PID 2468 wrote to memory of 680 2468 cmd.exe 86 PID 2468 wrote to memory of 680 2468 cmd.exe 86 PID 2468 wrote to memory of 2772 2468 cmd.exe 88 PID 2468 wrote to memory of 2772 2468 cmd.exe 88 PID 2468 wrote to memory of 2064 2468 cmd.exe 89 PID 2468 wrote to memory of 2064 2468 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe"C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA5E5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA5E5.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2580
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3156"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:680
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2772
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Regkey.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Regkey.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
286B
MD5404a731958b60b6746f01947a706395b
SHA10c10447c12bda07c3acf685dee86a1cca6c16b4c
SHA2565907ce897fa03cf0c1b4739961d930f0741864e927a628c47793377b563b0c8e
SHA51273c7a48306bbc3e3cc9b1a54fded2f2135b650a9cd12f53d4b3d708f974af539fa059bc6d87d49919c73259a7ab3ed8fe483182dece79f75c2d7946948834b10
-
Filesize
5.6MB
MD51d0701d8fdc16df25fa0249b59aab042
SHA16028426f7e0a712a1aeae28d986337aafae26abe
SHA256a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
SHA512f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17