Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry109346pdf.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Inquiry109346pdf.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Inquiry109346pdf.exe
-
Size
680KB
-
MD5
c2d53f65e668bb1506452442d406cd35
-
SHA1
db8e154de49341d553960463de1ef7aa845d30ce
-
SHA256
eb071bd316e6c178749f622d90124be85a871aea6f87b3f6786e302f6e98a6a5
-
SHA512
298f540825b0b19cae883b6738b070d12ed4d1be029ea0cbf99e1e7178ceaae88b4ea0f82fbf2a01af52edaad9400389d49646e19774b524c3a0ceaf6502324a
Score
7/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry109346pdf.exedescription pid process target process PID 3572 set thread context of 2660 3572 Inquiry109346pdf.exe ieinstal.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 2660 ieinstal.exe -
Loads dropped DLL 6 IoCs
Processes:
ieinstal.exepid process 2660 ieinstal.exe 2660 ieinstal.exe 2660 ieinstal.exe 2660 ieinstal.exe 2660 ieinstal.exe 2660 ieinstal.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Inquiry109346pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xasm = "C:\\Users\\Admin\\AppData\\Local\\Xasm\\Xasm.hta" Inquiry109346pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Inquiry109346pdf.exedescription pid process target process PID 3572 wrote to memory of 2660 3572 Inquiry109346pdf.exe ieinstal.exe PID 3572 wrote to memory of 2660 3572 Inquiry109346pdf.exe ieinstal.exe PID 3572 wrote to memory of 2660 3572 Inquiry109346pdf.exe ieinstal.exe PID 3572 wrote to memory of 2660 3572 Inquiry109346pdf.exe ieinstal.exe PID 3572 wrote to memory of 2660 3572 Inquiry109346pdf.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry109346pdf.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry109346pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\freebl3.dll
-
\Users\Admin\AppData\Local\Temp\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\nss3.dll
-
\Users\Admin\AppData\Local\Temp\softokn3.dll
-
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
-
memory/2660-0-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/2660-1-0x0000000000405907-mapping.dmp
-
memory/2660-2-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB