Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 12:09
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY.exe
Resource
win7v20201028
General
-
Target
INQUIRY.exe
-
Size
986KB
-
MD5
0b940145d7d02e5b1b975c99dd5197a4
-
SHA1
53ae0b576f7b362b90a25ace1470d33068db4490
-
SHA256
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
-
SHA512
f6ea131ca86752edd8163c27ba045ff8ab4fe90a92f923565496e99d8b46ba5e99af14660bcca127a1ff06246ca262456508f6f9de2462e4cd10ba53d1428a92
Malware Config
Extracted
Protocol: smtp- Host:
mail.iigcest.com - Port:
587 - Username:
ansaf@iigcest.com - Password:
Ans2016@
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3688-1-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/3688-4-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/3688-5-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 whatismyipaddress.com 13 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process target process PID 2208 set thread context of 3688 2208 INQUIRY.exe INQUIRY.exe PID 3688 set thread context of 1540 3688 INQUIRY.exe vbc.exe PID 3688 set thread context of 2552 3688 INQUIRY.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1459 IoCs
Processes:
INQUIRY.exeINQUIRY.exepid process 2208 INQUIRY.exe 2208 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe 3880 INQUIRY.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
INQUIRY.exepid process 2208 INQUIRY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INQUIRY.exedescription pid process Token: SeDebugPrivilege 3688 INQUIRY.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INQUIRY.exepid process 3688 INQUIRY.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process target process PID 2208 wrote to memory of 3688 2208 INQUIRY.exe INQUIRY.exe PID 2208 wrote to memory of 3688 2208 INQUIRY.exe INQUIRY.exe PID 2208 wrote to memory of 3688 2208 INQUIRY.exe INQUIRY.exe PID 2208 wrote to memory of 3880 2208 INQUIRY.exe INQUIRY.exe PID 2208 wrote to memory of 3880 2208 INQUIRY.exe INQUIRY.exe PID 2208 wrote to memory of 3880 2208 INQUIRY.exe INQUIRY.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 1540 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe PID 3688 wrote to memory of 2552 3688 INQUIRY.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe" 2 3688 2592943592⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
memory/1540-9-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1540-11-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1540-10-0x0000000000411654-mapping.dmp
-
memory/2208-0-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/2552-14-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2552-13-0x0000000000442628-mapping.dmp
-
memory/2552-12-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3688-4-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3688-7-0x0000000002300000-0x0000000002388000-memory.dmpFilesize
544KB
-
memory/3688-5-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3688-2-0x000000000051B4C0-mapping.dmp
-
memory/3688-1-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/3880-6-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/3880-3-0x0000000000000000-mapping.dmp