Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10-11-2021 19:14
Static task
static1
Behavioral task
behavioral1
Sample
New Inquiry.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
New Inquiry.exe
Resource
win10-en-20211014
General
-
Target
New Inquiry.exe
-
Size
247KB
-
MD5
905db5df8d7a31ccd2c15fd5b90d3cd2
-
SHA1
06ec98964ce0e4d64cfcf68b579fa28be7207a15
-
SHA256
997d1ffb13955190f89d7d6c712af1d2b8988cffdda524963f0963b4eb761d5a
-
SHA512
de02d56b22651e80442d06d4ad2d10a209e261cb048139f6d8c1822783cdee3f365186bfae4901549da51a9269af1daa9929ea7eb114a2bb09406975d5277142
Malware Config
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/920-119-0x0000000000000000-mapping.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
New Inquiry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" New Inquiry.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
New Inquiry.exepid process 3064 New Inquiry.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
New Inquiry.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe New Inquiry.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe New Inquiry.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe New Inquiry.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe New Inquiry.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe New Inquiry.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe New Inquiry.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe New Inquiry.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe New Inquiry.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe New Inquiry.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe New Inquiry.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe New Inquiry.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe New Inquiry.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe New Inquiry.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE New Inquiry.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe New Inquiry.exe -
Drops file in Windows directory 1 IoCs
Processes:
New Inquiry.exedescription ioc process File opened for modification C:\Windows\svchost.com New Inquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
New Inquiry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" New Inquiry.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
New Inquiry.exedescription pid process target process PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe PID 3064 wrote to memory of 920 3064 New Inquiry.exe New Inquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsm905.tmp\xpgjtt.dllMD5
cf4d50071a2c2fdfe2cbd07d42b4aaea
SHA1214f85e9f8b1922333bd866d23bb97dbd8e12487
SHA25644d8dedf859f5e3a174ae3f617cc4cc8fbfbc40f88d4a71f16c64c6b14e6b7a4
SHA512a17f4c72c390c14044baddb53723d2fc3383ec7a2b5a89f66870f5dbb42863e0d259fec77013e8f5bd00739721e11fd8f38322e9f8a395d59dd9405927205d98
-
memory/920-119-0x0000000000000000-mapping.dmp
-
memory/920-120-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB