Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 14:48
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY.exe
Resource
win7v20201028
General
-
Target
INQUIRY.exe
-
Size
983KB
-
MD5
f354ba5b2b1698b83201afe17fb068fa
-
SHA1
72d40d81e7151a28178c74971a883991d6a33de0
-
SHA256
04f6177bee237fe8f49353b9455c7367d6ab4d9e14a4139c9fccd7e4d349ce82
-
SHA512
1e9898871da0f0ec35ef7b84258827a498fe885dbe8bbc135ca341d87281424c5ace42ae43436adc1d4fafe90658f234571f755518b89eba047c7a0e72cf6c9b
Malware Config
Extracted
Protocol: smtp- Host:
mail.iigcest.com - Port:
587 - Username:
ansaf@iigcest.com - Password:
Ans2016@
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3544-1-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/3544-4-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/3544-5-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
INQUIRY.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" INQUIRY.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 whatismyipaddress.com 11 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process target process PID 500 set thread context of 3544 500 INQUIRY.exe INQUIRY.exe PID 3544 set thread context of 3512 3544 INQUIRY.exe vbc.exe PID 3544 set thread context of 3976 3544 INQUIRY.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1772 IoCs
Processes:
INQUIRY.exeINQUIRY.exepid process 500 INQUIRY.exe 500 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe 3696 INQUIRY.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
INQUIRY.exepid process 500 INQUIRY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INQUIRY.exedescription pid process Token: SeDebugPrivilege 3544 INQUIRY.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INQUIRY.exepid process 3544 INQUIRY.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process target process PID 500 wrote to memory of 3544 500 INQUIRY.exe INQUIRY.exe PID 500 wrote to memory of 3544 500 INQUIRY.exe INQUIRY.exe PID 500 wrote to memory of 3544 500 INQUIRY.exe INQUIRY.exe PID 500 wrote to memory of 3696 500 INQUIRY.exe INQUIRY.exe PID 500 wrote to memory of 3696 500 INQUIRY.exe INQUIRY.exe PID 500 wrote to memory of 3696 500 INQUIRY.exe INQUIRY.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3512 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe PID 3544 wrote to memory of 3976 3544 INQUIRY.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe" 2 3544 2592838902⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/500-0-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/3512-11-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3512-9-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3512-10-0x0000000000411654-mapping.dmp
-
memory/3544-1-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3544-2-0x000000000051B4D0-mapping.dmp
-
memory/3544-4-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3544-5-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3544-7-0x0000000002360000-0x00000000023E8000-memory.dmpFilesize
544KB
-
memory/3544-8-0x0000000002352000-0x0000000002353000-memory.dmpFilesize
4KB
-
memory/3696-3-0x0000000000000000-mapping.dmp
-
memory/3696-6-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/3976-12-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3976-13-0x0000000000442628-mapping.dmp
-
memory/3976-14-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB