Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 20:42
Behavioral task
behavioral1
Sample
RocketTitles.zip
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral4
Sample
Newtonsoft.Json.xml
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
RocketTitles.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
RocketTitles.exe.config
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
RocketTitles.pdb
Resource
win10v2004-20240426-en
General
-
Target
RocketTitles.exe
-
Size
464KB
-
MD5
d01895f1bcb893f652d14a63403d8e99
-
SHA1
9dd910e9c32719ba86b3b1d9da7d9037c5cfd6d8
-
SHA256
8269ab6c110238c609466167f327de678c926cb5df8e40355918cd256f2aa59a
-
SHA512
6cb47c51a823d7683330fa4cbc38315fef10cbd6199b1841a72afaa983093f00e102029bad7bd41d2b4c06d20615dd873f8d7abe62eeb92b58d7f725055dae3c
-
SSDEEP
12288:27nT0Qq3DUyTfvqCT/4k2QjqGpNBOewDld:2bTUDR3qCr4khqGrUtDld
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1236047504458518648/JQRxvzCGg9gVDBGAsCh4Y7lt6-VpyZJcpy_w2pc8Qwt0sZVsg3Znypp4Lv0kPFzHxpM9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral5/files/0x000600000001da1e-19.dat family_umbral behavioral5/memory/4300-21-0x000001868C670000-0x000001868C6B0000-memory.dmp family_umbral -
AgentTesla payload 1 IoCs
resource yara_rule behavioral5/memory/4900-7-0x0000000005B40000-0x0000000005D54000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RocketTitles.exe -
Executes dropped EXE 3 IoCs
pid Process 4300 mac_1.bat 3780 mac_1.bat 1332 mac_1.bat -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\IME\macspoof.exe RocketTitles.exe File created C:\Windows\mac_1.bat RocketTitles.exe File opened for modification C:\Windows\IME\macspoof.exe RocketTitles.exe File opened for modification C:\Windows\mac_1.bat RocketTitles.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RocketTitles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer RocketTitles.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion RocketTitles.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4900 RocketTitles.exe 4900 RocketTitles.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4900 RocketTitles.exe Token: SeDebugPrivilege 4300 mac_1.bat Token: SeIncreaseQuotaPrivilege 2256 wmic.exe Token: SeSecurityPrivilege 2256 wmic.exe Token: SeTakeOwnershipPrivilege 2256 wmic.exe Token: SeLoadDriverPrivilege 2256 wmic.exe Token: SeSystemProfilePrivilege 2256 wmic.exe Token: SeSystemtimePrivilege 2256 wmic.exe Token: SeProfSingleProcessPrivilege 2256 wmic.exe Token: SeIncBasePriorityPrivilege 2256 wmic.exe Token: SeCreatePagefilePrivilege 2256 wmic.exe Token: SeBackupPrivilege 2256 wmic.exe Token: SeRestorePrivilege 2256 wmic.exe Token: SeShutdownPrivilege 2256 wmic.exe Token: SeDebugPrivilege 2256 wmic.exe Token: SeSystemEnvironmentPrivilege 2256 wmic.exe Token: SeRemoteShutdownPrivilege 2256 wmic.exe Token: SeUndockPrivilege 2256 wmic.exe Token: SeManageVolumePrivilege 2256 wmic.exe Token: 33 2256 wmic.exe Token: 34 2256 wmic.exe Token: 35 2256 wmic.exe Token: 36 2256 wmic.exe Token: SeIncreaseQuotaPrivilege 2256 wmic.exe Token: SeSecurityPrivilege 2256 wmic.exe Token: SeTakeOwnershipPrivilege 2256 wmic.exe Token: SeLoadDriverPrivilege 2256 wmic.exe Token: SeSystemProfilePrivilege 2256 wmic.exe Token: SeSystemtimePrivilege 2256 wmic.exe Token: SeProfSingleProcessPrivilege 2256 wmic.exe Token: SeIncBasePriorityPrivilege 2256 wmic.exe Token: SeCreatePagefilePrivilege 2256 wmic.exe Token: SeBackupPrivilege 2256 wmic.exe Token: SeRestorePrivilege 2256 wmic.exe Token: SeShutdownPrivilege 2256 wmic.exe Token: SeDebugPrivilege 2256 wmic.exe Token: SeSystemEnvironmentPrivilege 2256 wmic.exe Token: SeRemoteShutdownPrivilege 2256 wmic.exe Token: SeUndockPrivilege 2256 wmic.exe Token: SeManageVolumePrivilege 2256 wmic.exe Token: 33 2256 wmic.exe Token: 34 2256 wmic.exe Token: 35 2256 wmic.exe Token: 36 2256 wmic.exe Token: SeDebugPrivilege 3780 mac_1.bat Token: SeIncreaseQuotaPrivilege 520 wmic.exe Token: SeSecurityPrivilege 520 wmic.exe Token: SeTakeOwnershipPrivilege 520 wmic.exe Token: SeLoadDriverPrivilege 520 wmic.exe Token: SeSystemProfilePrivilege 520 wmic.exe Token: SeSystemtimePrivilege 520 wmic.exe Token: SeProfSingleProcessPrivilege 520 wmic.exe Token: SeIncBasePriorityPrivilege 520 wmic.exe Token: SeCreatePagefilePrivilege 520 wmic.exe Token: SeBackupPrivilege 520 wmic.exe Token: SeRestorePrivilege 520 wmic.exe Token: SeShutdownPrivilege 520 wmic.exe Token: SeDebugPrivilege 520 wmic.exe Token: SeSystemEnvironmentPrivilege 520 wmic.exe Token: SeRemoteShutdownPrivilege 520 wmic.exe Token: SeUndockPrivilege 520 wmic.exe Token: SeManageVolumePrivilege 520 wmic.exe Token: 33 520 wmic.exe Token: 34 520 wmic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4900 wrote to memory of 4300 4900 RocketTitles.exe 104 PID 4900 wrote to memory of 4300 4900 RocketTitles.exe 104 PID 4300 wrote to memory of 2256 4300 mac_1.bat 105 PID 4300 wrote to memory of 2256 4300 mac_1.bat 105 PID 4900 wrote to memory of 3780 4900 RocketTitles.exe 108 PID 4900 wrote to memory of 3780 4900 RocketTitles.exe 108 PID 3780 wrote to memory of 520 3780 mac_1.bat 109 PID 3780 wrote to memory of 520 3780 mac_1.bat 109 PID 4900 wrote to memory of 1332 4900 RocketTitles.exe 111 PID 4900 wrote to memory of 1332 4900 RocketTitles.exe 111 PID 1332 wrote to memory of 4908 1332 mac_1.bat 112 PID 1332 wrote to memory of 4908 1332 mac_1.bat 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\RocketTitles.exe"C:\Users\Admin\AppData\Local\Temp\RocketTitles.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\mac_1.bat"C:\Windows\mac_1.bat"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
C:\Windows\mac_1.bat"C:\Windows\mac_1.bat"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
-
C:\Windows\mac_1.bat"C:\Windows\mac_1.bat"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:4908
-
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:4996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:4256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58094b248fe3231e48995c2be32aeb08c
SHA12fe06e000ebec919bf982d033c5d1219c1f916b6
SHA256136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc
SHA512bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f
-
Filesize
229KB
MD5dd294f4a30b78637d2de6ae794442508
SHA12f28200fb482bb7f280ecde35070b8bf181900ef
SHA256a89f3d297cbac8b605cd554dd0ea7891c7fcff9e63c7c22810d1c8121fd128b1
SHA512cc4343ab3d9dc6f6eb8312a28df24442280144d3c54fe3fca65412b6285ae98c264a67a70a86b1fd73418bee535ea5adbe968e7b48a40ad833beaabf459d7bf5