Analysis
-
max time kernel
187s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:19
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Enquiry.exe
Resource
win10v2004-20220414-en
General
-
Target
Enquiry.exe
-
Size
797KB
-
MD5
f71557e9155556d4f0ea0e03b307f11d
-
SHA1
a04a977026b26e1da0f43ba3fd6a1112df109db9
-
SHA256
1f4f66b6c25fcf9e510c93af0fb57942013de942175617a7b3a515709a44bed5
-
SHA512
8a575f1a4364f35d3187cb9eb117a7bfdbc4d152ce2a72bfbca4dc80f6007493109de56ec4e870a2486df30bd17904970f08c463119280df07b06f7d8c9596f7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1448-138-0x0000000000400000-0x00000000004A8000-memory.dmp family_masslogger -
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Enquiry.exeEnquiry.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Enquiry.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Enquiry.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
Processes:
Enquiry.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Enquiry.exe Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Enquiry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Enquiry.exedescription pid process target process PID 4304 set thread context of 1448 4304 Enquiry.exe Enquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Enquiry.exepid process 1448 Enquiry.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Enquiry.exeEnquiry.exepid process 4304 Enquiry.exe 4304 Enquiry.exe 1448 Enquiry.exe 1448 Enquiry.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Enquiry.exeEnquiry.exedescription pid process Token: SeDebugPrivilege 4304 Enquiry.exe Token: SeDebugPrivilege 1448 Enquiry.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Enquiry.exepid process 1448 Enquiry.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Enquiry.exedescription pid process target process PID 4304 wrote to memory of 4428 4304 Enquiry.exe schtasks.exe PID 4304 wrote to memory of 4428 4304 Enquiry.exe schtasks.exe PID 4304 wrote to memory of 4428 4304 Enquiry.exe schtasks.exe PID 4304 wrote to memory of 4552 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 4552 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 4552 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe PID 4304 wrote to memory of 1448 4304 Enquiry.exe Enquiry.exe -
outlook_office_path 1 IoCs
Processes:
Enquiry.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe -
outlook_win_path 1 IoCs
Processes:
Enquiry.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Enquiry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BOWbzufm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp343A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Enquiry.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Enquiry.exe.logFilesize
507B
MD5ab4c71d3ff6255edd4e5c1e09540f49e
SHA122e06bf4e258741b5df918061871cba998c50cea
SHA2561690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a
SHA5128fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af
-
C:\Users\Admin\AppData\Local\Temp\tmp343A.tmpFilesize
1KB
MD5a3a0e7bc9aad5007388d7ed02fb5e282
SHA178d0cc0592df22fc9c85fe93c63e772c42d86ad4
SHA2560e9f08d47dcfe21f0a080d7cb656ddf06ca599d67c0f67cc799cd1ad13a3bcc8
SHA512519c3a0032545854003beee1d3ba04b648d0332b5e084d4ec46012f4a36e3feae43f8d108cee5407d7f6e19e49d2d9832d10059e0cc3ca96541fe4a03c07afda
-
memory/1448-137-0x0000000000000000-mapping.dmp
-
memory/1448-142-0x0000000007B70000-0x0000000007BC0000-memory.dmpFilesize
320KB
-
memory/1448-141-0x0000000006DA0000-0x0000000006DAA000-memory.dmpFilesize
40KB
-
memory/1448-140-0x0000000005500000-0x0000000005566000-memory.dmpFilesize
408KB
-
memory/1448-138-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4304-133-0x00000000061E0000-0x0000000006784000-memory.dmpFilesize
5.6MB
-
memory/4304-130-0x0000000000660000-0x000000000072E000-memory.dmpFilesize
824KB
-
memory/4304-132-0x00000000051B0000-0x0000000005242000-memory.dmpFilesize
584KB
-
memory/4304-131-0x0000000005070000-0x000000000510C000-memory.dmpFilesize
624KB
-
memory/4428-134-0x0000000000000000-mapping.dmp
-
memory/4552-136-0x0000000000000000-mapping.dmp