Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 14:47
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY.exe
Resource
win7v20201028
General
-
Target
INQUIRY.exe
-
Size
983KB
-
MD5
f354ba5b2b1698b83201afe17fb068fa
-
SHA1
72d40d81e7151a28178c74971a883991d6a33de0
-
SHA256
04f6177bee237fe8f49353b9455c7367d6ab4d9e14a4139c9fccd7e4d349ce82
-
SHA512
1e9898871da0f0ec35ef7b84258827a498fe885dbe8bbc135ca341d87281424c5ace42ae43436adc1d4fafe90658f234571f755518b89eba047c7a0e72cf6c9b
Malware Config
Extracted
Protocol: smtp- Host:
mail.iigcest.com - Port:
587 - Username:
ansaf@iigcest.com - Password:
Ans2016@
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5116-1-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/5116-5-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/5116-3-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
INQUIRY.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" INQUIRY.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 whatismyipaddress.com 10 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process target process PID 4760 set thread context of 5116 4760 INQUIRY.exe INQUIRY.exe PID 5116 set thread context of 856 5116 INQUIRY.exe vbc.exe PID 5116 set thread context of 1268 5116 INQUIRY.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 2181 IoCs
Processes:
INQUIRY.exeINQUIRY.exepid process 4760 INQUIRY.exe 4760 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe 3008 INQUIRY.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
INQUIRY.exepid process 4760 INQUIRY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INQUIRY.exedescription pid process Token: SeDebugPrivilege 5116 INQUIRY.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INQUIRY.exepid process 5116 INQUIRY.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process target process PID 4760 wrote to memory of 5116 4760 INQUIRY.exe INQUIRY.exe PID 4760 wrote to memory of 5116 4760 INQUIRY.exe INQUIRY.exe PID 4760 wrote to memory of 5116 4760 INQUIRY.exe INQUIRY.exe PID 4760 wrote to memory of 3008 4760 INQUIRY.exe INQUIRY.exe PID 4760 wrote to memory of 3008 4760 INQUIRY.exe INQUIRY.exe PID 4760 wrote to memory of 3008 4760 INQUIRY.exe INQUIRY.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 856 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe PID 5116 wrote to memory of 1268 5116 INQUIRY.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe" 2 5116 2592850002⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/856-10-0x0000000000411654-mapping.dmp
-
memory/856-11-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/856-9-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1268-14-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1268-13-0x0000000000442628-mapping.dmp
-
memory/1268-12-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3008-4-0x0000000000000000-mapping.dmp
-
memory/3008-7-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/4760-0-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/5116-5-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/5116-8-0x00000000022A2000-0x00000000022A3000-memory.dmpFilesize
4KB
-
memory/5116-6-0x0000000002340000-0x00000000023C8000-memory.dmpFilesize
544KB
-
memory/5116-3-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/5116-1-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/5116-2-0x000000000051B4D0-mapping.dmp