Analysis
-
max time kernel
99s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 18:00
Static task
static1
Behavioral task
behavioral1
Sample
roomitinerary .cmd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
roomitinerary .cmd.exe
Resource
win10v20201028
General
-
Target
roomitinerary .cmd.exe
-
Size
5.0MB
-
MD5
447a03ebc9cf49088d63a74a3f8f62cd
-
SHA1
70a68bdf6ccde6b60604d923043893448ac44f02
-
SHA256
944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16
-
SHA512
1857b6e4e3eb966850e5d1446bf9657c4f833bf85ef0d68a22bc82042fceac4c09ae0fb44fad27e412e22130fa1468ee32b15287e8cbb5b24dab37ba5c38e963
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
roomitinerary .cmd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\roomitinerary .cmd.exe\"" roomitinerary .cmd.exe -
AgentTesla Payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-5-0x0000000000660000-0x0000000000739000-memory.dmp family_agenttesla behavioral1/memory/1068-6-0x0000000004650000-0x000000000471D000-memory.dmp family_agenttesla behavioral1/memory/1068-8-0x00000000009F0000-0x0000000000AA5000-memory.dmp family_agenttesla behavioral1/memory/1068-9-0x00000000083B0000-0x000000000845A000-memory.dmp family_agenttesla behavioral1/memory/1068-7-0x0000000006030000-0x00000000060F1000-memory.dmp family_agenttesla behavioral1/memory/1068-11-0x00000000085A0000-0x0000000008633000-memory.dmp family_agenttesla behavioral1/memory/1068-10-0x0000000008500000-0x000000000859F000-memory.dmp family_agenttesla behavioral1/memory/1068-12-0x0000000008640000-0x00000000086C8000-memory.dmp family_agenttesla behavioral1/memory/1068-13-0x00000000005D0000-0x000000000064D000-memory.dmp family_agenttesla behavioral1/memory/1068-14-0x00000000086D0000-0x0000000008742000-memory.dmp family_agenttesla behavioral1/memory/1068-15-0x0000000006100000-0x0000000006136000-memory.dmp family_agenttesla -
Drops startup file 2 IoCs
Processes:
roomitinerary .cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roomitinerary .cmd.exe roomitinerary .cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roomitinerary .cmd.exe roomitinerary .cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
roomitinerary .cmd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roomitinerary .cmd.exe" roomitinerary .cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\roomitinerary .cmd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roomitinerary .cmd.exe" roomitinerary .cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CZVkY = "C:\\Users\\Admin\\AppData\\Roaming\\CZVkY\\CZVkY.exe" roomitinerary .cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
roomitinerary .cmd.exepid process 1068 roomitinerary .cmd.exe 1068 roomitinerary .cmd.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
roomitinerary .cmd.exepid process 1068 roomitinerary .cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
roomitinerary .cmd.exedescription pid process Token: SeDebugPrivilege 1068 roomitinerary .cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\roomitinerary .cmd.exe"C:\Users\Admin\AppData\Local\Temp\roomitinerary .cmd.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-2-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/1068-3-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/1068-5-0x0000000000660000-0x0000000000739000-memory.dmpFilesize
868KB
-
memory/1068-6-0x0000000004650000-0x000000000471D000-memory.dmpFilesize
820KB
-
memory/1068-8-0x00000000009F0000-0x0000000000AA5000-memory.dmpFilesize
724KB
-
memory/1068-9-0x00000000083B0000-0x000000000845A000-memory.dmpFilesize
680KB
-
memory/1068-7-0x0000000006030000-0x00000000060F1000-memory.dmpFilesize
772KB
-
memory/1068-11-0x00000000085A0000-0x0000000008633000-memory.dmpFilesize
588KB
-
memory/1068-10-0x0000000008500000-0x000000000859F000-memory.dmpFilesize
636KB
-
memory/1068-12-0x0000000008640000-0x00000000086C8000-memory.dmpFilesize
544KB
-
memory/1068-13-0x00000000005D0000-0x000000000064D000-memory.dmpFilesize
500KB
-
memory/1068-14-0x00000000086D0000-0x0000000008742000-memory.dmpFilesize
456KB
-
memory/1068-15-0x0000000006100000-0x0000000006136000-memory.dmpFilesize
216KB