370da6a864cc0f7c3387cee818401ef3892bd81b153a9fe39cc6affc55d248e8

General

Target

INQ4556 PO.exe
Size

953KB
MD5

787505a211af41260aa84e8473ca533e
SHA1

303bb329745f99bf3c88535914f8b0ac768ac107
SHA256

925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6
SHA512

bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	vlc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	INQ4556 PO.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 3628	4796	INQ4556 PO.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4200	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1156	timeout.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4796	INQ4556 PO.exe
4796	INQ4556 PO.exe
4796	INQ4556 PO.exe
4796	INQ4556 PO.exe
4796	INQ4556 PO.exe
4796	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
3628	INQ4556 PO.exe
2296	vlc.exe
2296	vlc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	INQ4556 PO.exe
Token: SeDebugPrivilege	3628	INQ4556 PO.exe
Token: SeDebugPrivilege	2296	vlc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1132	4796	INQ4556 PO.exe	89
PID 4796 wrote to memory of 1132	4796	INQ4556 PO.exe	89
PID 4796 wrote to memory of 1132	4796	INQ4556 PO.exe	89
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 4796 wrote to memory of 3628	4796	INQ4556 PO.exe	90
PID 3628 wrote to memory of 3004	3628	INQ4556 PO.exe	91
PID 3628 wrote to memory of 3004	3628	INQ4556 PO.exe	91
PID 3628 wrote to memory of 3004	3628	INQ4556 PO.exe	91
PID 3628 wrote to memory of 2424	3628	INQ4556 PO.exe	93
PID 3628 wrote to memory of 2424	3628	INQ4556 PO.exe	93
PID 3628 wrote to memory of 2424	3628	INQ4556 PO.exe	93
PID 3004 wrote to memory of 4200	3004	cmd.exe	95
PID 3004 wrote to memory of 4200	3004	cmd.exe	95
PID 3004 wrote to memory of 4200	3004	cmd.exe	95
PID 2424 wrote to memory of 1156	2424	cmd.exe	96
PID 2424 wrote to memory of 1156	2424	cmd.exe	96
PID 2424 wrote to memory of 1156	2424	cmd.exe	96
PID 2424 wrote to memory of 2296	2424	cmd.exe	97
PID 2424 wrote to memory of 2296	2424	cmd.exe	97
PID 2424 wrote to memory of 2296	2424	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe
"C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe
  "{path}"
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\INQ4556 PO.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF944.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1156
  - - C:\Users\Admin\VideoLAN\vlc.exe
      "C:\Users\Admin\VideoLAN\vlc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INQ4556 PO.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF944.tmp.bat

Filesize
140B

MD5
6d9be28aa01037ebb214b81e14f904b2

SHA1
876275e24678b8d312d680c24326cf3e7791e6d1

SHA256
047b7119e9182ec1f0484ffdc25fcee4a3b58650864da1bd38581dcd7cdb33ef

SHA512
73fadcd7ac94e90c6f92bd8351b88b5dbc8ca2183dcf0622dc00a380bbec52826b5786256981d19912f1a6c8b1cb538e9043433671ad9ab787b5027b1285e640

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
953KB

MD5
787505a211af41260aa84e8473ca533e

SHA1
303bb329745f99bf3c88535914f8b0ac768ac107

SHA256
925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

SHA512
bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
953KB

MD5
787505a211af41260aa84e8473ca533e

SHA1
303bb329745f99bf3c88535914f8b0ac768ac107

SHA256
925bc865f2151bd08bb14123ebf68f97eba97529a33de123e4e4cbade9a951e6

SHA512
bfdf5ef6801412652ba9da5c2271317cfa8a153171bf7c3c2648170c4f2f0362fafe0697290a99534c27a977df55882462ae5ee3e03351f844c3b6d21b7ad78b

Download Submit
memory/3628-137-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3628-139-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4796-133-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/4796-131-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/4796-130-0x0000000000060000-0x0000000000154000-memory.dmp

Filesize
976KB

Download
memory/4796-132-0x0000000004A80000-0x0000000004B12000-memory.dmp

Filesize
584KB

Download
memory/4796-134-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads