f2a5985b57a7f349270f65bc5cfc3b5c4d901121533e1ce3f474e04840c24561

Analysis

max time kernel
86s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Inquiry___289812.exe
Size

568KB
MD5

7777daa2b9545090156a898d5131521c
SHA1

f3657d37012ca0daae9e4287568b68c1b2220a60
SHA256

cb1f5aab744ba7964f5a04e4e7b606843b1914346594ebfc36d95d7296936d2e
SHA512

4a4fdc1ab7ce776fd97abd0e43f646fc093bfaaa3eb0660bf9a22cc0321d67d2b95eccf6bd64591eaafedffcbd9ec7e021ecb50f90f6fcfe271f9fbfdf2f2271

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Urgent Inquiry___289812.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xaon = "C:\\Users\\Admin\\AppData\\Local\\Xaon.url"	Urgent Inquiry___289812.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 46 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Urgent Inquiry___289812.exe

description	pid	process	target process
PID 4344 wrote to memory of 4168	4344	Urgent Inquiry___289812.exe	ieinstal.exe
PID 4344 wrote to memory of 4168	4344	Urgent Inquiry___289812.exe	ieinstal.exe
PID 4344 wrote to memory of 4168	4344	Urgent Inquiry___289812.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\Urgent Inquiry___289812.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent Inquiry___289812.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4168-138-0x0000000000000000-mapping.dmp

Download
memory/4344-131-0x0000000004A20000-0x0000000004A78000-memory.dmp

Filesize
352KB

Download