Analysis
-
max time kernel
112s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY.exe
Resource
win7-20220414-en
General
-
Target
INQUIRY.exe
-
Size
259KB
-
MD5
f652086d83ccc25c14bbcebb9229cbd4
-
SHA1
cadd3972915bd7ffee7442c8b60ff6acc156705e
-
SHA256
9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
-
SHA512
1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c
Malware Config
Extracted
netwire
194.5.97.109:3360
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
true
-
host_id
MAZI
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3036-136-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3036-138-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3036-141-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1612-152-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1612-153-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Executes dropped EXE 3 IoCs
Processes:
Host.exeHost.exeHost.exepid process 4188 Host.exe 2052 Host.exe 1612 Host.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INQUIRY.exeINQUIRY.exeHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation INQUIRY.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation INQUIRY.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
INQUIRY.exeHost.exedescription pid process target process PID 2612 set thread context of 3036 2612 INQUIRY.exe INQUIRY.exe PID 4188 set thread context of 1612 4188 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
INQUIRY.exeHost.exepid process 2612 INQUIRY.exe 2612 INQUIRY.exe 2612 INQUIRY.exe 2612 INQUIRY.exe 4188 Host.exe 4188 Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INQUIRY.exeHost.exedescription pid process Token: SeDebugPrivilege 2612 INQUIRY.exe Token: SeDebugPrivilege 4188 Host.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
INQUIRY.exeINQUIRY.exeHost.exedescription pid process target process PID 2612 wrote to memory of 4716 2612 INQUIRY.exe schtasks.exe PID 2612 wrote to memory of 4716 2612 INQUIRY.exe schtasks.exe PID 2612 wrote to memory of 4716 2612 INQUIRY.exe schtasks.exe PID 2612 wrote to memory of 2460 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 2460 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 2460 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 2628 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 2628 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 2628 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 2612 wrote to memory of 3036 2612 INQUIRY.exe INQUIRY.exe PID 3036 wrote to memory of 4188 3036 INQUIRY.exe Host.exe PID 3036 wrote to memory of 4188 3036 INQUIRY.exe Host.exe PID 3036 wrote to memory of 4188 3036 INQUIRY.exe Host.exe PID 4188 wrote to memory of 648 4188 Host.exe schtasks.exe PID 4188 wrote to memory of 648 4188 Host.exe schtasks.exe PID 4188 wrote to memory of 648 4188 Host.exe schtasks.exe PID 4188 wrote to memory of 2052 4188 Host.exe Host.exe PID 4188 wrote to memory of 2052 4188 Host.exe Host.exe PID 4188 wrote to memory of 2052 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe PID 4188 wrote to memory of 1612 4188 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSkCPulZoc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FF7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m "C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VSkCPulZoc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3FF7.tmpFilesize
1KB
MD57404c98425f58fd7bcd60bf50bb212a7
SHA12a5fcc2d861321bf57b5166007514e6a964fe9f6
SHA256fc327e9ae35292a4eea5a45cea50e8db961b82c90c9fefa62472137f44710dfd
SHA5126d69d01a9ed7838b160d7cac1eebe1fba1025eeb6780d7c7cbd8ad69e667bfe80c240aa17b317c461811c99339db428a2de0df7cfbe2dd4aa9301aab9e02dc64
-
C:\Users\Admin\AppData\Local\Temp\tmp5360.tmpFilesize
1KB
MD57404c98425f58fd7bcd60bf50bb212a7
SHA12a5fcc2d861321bf57b5166007514e6a964fe9f6
SHA256fc327e9ae35292a4eea5a45cea50e8db961b82c90c9fefa62472137f44710dfd
SHA5126d69d01a9ed7838b160d7cac1eebe1fba1025eeb6780d7c7cbd8ad69e667bfe80c240aa17b317c461811c99339db428a2de0df7cfbe2dd4aa9301aab9e02dc64
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
259KB
MD5f652086d83ccc25c14bbcebb9229cbd4
SHA1cadd3972915bd7ffee7442c8b60ff6acc156705e
SHA2569a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
SHA5121fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
259KB
MD5f652086d83ccc25c14bbcebb9229cbd4
SHA1cadd3972915bd7ffee7442c8b60ff6acc156705e
SHA2569a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
SHA5121fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
259KB
MD5f652086d83ccc25c14bbcebb9229cbd4
SHA1cadd3972915bd7ffee7442c8b60ff6acc156705e
SHA2569a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
SHA5121fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
259KB
MD5f652086d83ccc25c14bbcebb9229cbd4
SHA1cadd3972915bd7ffee7442c8b60ff6acc156705e
SHA2569a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72
SHA5121fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c
-
memory/648-144-0x0000000000000000-mapping.dmp
-
memory/1612-153-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1612-152-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1612-148-0x0000000000000000-mapping.dmp
-
memory/2052-146-0x0000000000000000-mapping.dmp
-
memory/2460-133-0x0000000000000000-mapping.dmp
-
memory/2612-130-0x00000000750E0000-0x0000000075691000-memory.dmpFilesize
5.7MB
-
memory/2628-134-0x0000000000000000-mapping.dmp
-
memory/3036-141-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3036-138-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3036-136-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3036-135-0x0000000000000000-mapping.dmp
-
memory/4188-143-0x0000000073E30000-0x00000000743E1000-memory.dmpFilesize
5.7MB
-
memory/4188-139-0x0000000000000000-mapping.dmp
-
memory/4716-131-0x0000000000000000-mapping.dmp