Analysis
-
max time kernel
92s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:06
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Inquiry.exe
Resource
win10v2004-20220414-en
General
-
Target
Inquiry.exe
-
Size
464KB
-
MD5
ed7359e4b434485f01549ef3ad72a85f
-
SHA1
aaa4b1d3fa30d0c1ab32b4fa11139914070e29b4
-
SHA256
ba123e2be2891c5decb58c5f87b722e363a86679d7823bc01f93cf58f1c8973a
-
SHA512
64b93b5b131d17f2b5eb8d741a620420620663bc9ced3aeb6644c68c35c6c7d6d2df537693a9b9c3d0ad4afb8ee59f77a24c3f7cec608d5cb33e366f14db7788
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
bambam10
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1380-56-0x00000000005B0000-0x00000000005B8000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1800-63-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1800-64-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1800-66-0x000000000044CAAE-mapping.dmp family_agenttesla behavioral1/memory/1800-65-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1800-68-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1800-70-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1380-54-0x0000000000AE0000-0x0000000000B5A000-memory.dmp coreccc -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1380-57-0x00000000048E0000-0x0000000004938000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Inquiry.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Inquiry.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Inquiry.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Inquiry.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Inquiry.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Inquiry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry.exedescription pid process target process PID 1380 set thread context of 1800 1380 Inquiry.exe Inquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Inquiry.exeInquiry.exepid process 1380 Inquiry.exe 1800 Inquiry.exe 1800 Inquiry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Inquiry.exeInquiry.exedescription pid process Token: SeDebugPrivilege 1380 Inquiry.exe Token: SeDebugPrivilege 1800 Inquiry.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Inquiry.exeInquiry.exedescription pid process target process PID 1380 wrote to memory of 1976 1380 Inquiry.exe schtasks.exe PID 1380 wrote to memory of 1976 1380 Inquiry.exe schtasks.exe PID 1380 wrote to memory of 1976 1380 Inquiry.exe schtasks.exe PID 1380 wrote to memory of 1976 1380 Inquiry.exe schtasks.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1380 wrote to memory of 1800 1380 Inquiry.exe Inquiry.exe PID 1800 wrote to memory of 468 1800 Inquiry.exe netsh.exe PID 1800 wrote to memory of 468 1800 Inquiry.exe netsh.exe PID 1800 wrote to memory of 468 1800 Inquiry.exe netsh.exe PID 1800 wrote to memory of 468 1800 Inquiry.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry.exe -
outlook_win_path 1 IoCs
Processes:
Inquiry.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Inquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ghyXAAsyYqSuk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp80D.tmpFilesize
1KB
MD5948271bf17eeb7dfa101423c0ccd6d8c
SHA16a9042e88892372164539efbdb4b34bd612adb93
SHA256ea87d240ff027ad9508a3925e7eaf38bd0fe49b5fe11138201b23a7f91c890d7
SHA512746f9f58be0c2fb7fa8b035477b5cafef3831e4c6cb5f4c46997f57969e4eb58a7fdb7dfc0f7dde27fe297bae45694096476ff6d2c3946e169356b06fc1d8031
-
memory/468-72-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x0000000000AE0000-0x0000000000B5A000-memory.dmpFilesize
488KB
-
memory/1380-55-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1380-56-0x00000000005B0000-0x00000000005B8000-memory.dmpFilesize
32KB
-
memory/1380-57-0x00000000048E0000-0x0000000004938000-memory.dmpFilesize
352KB
-
memory/1800-60-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1800-61-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1800-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1800-64-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1800-66-0x000000000044CAAE-mapping.dmp
-
memory/1800-65-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1800-68-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1800-70-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1976-58-0x0000000000000000-mapping.dmp