Analysis
-
max time kernel
91s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
INQUIRY.exe
Resource
win10v2004-20220901-en
General
-
Target
INQUIRY.exe
-
Size
790KB
-
MD5
17a16fdeda33edf4b8138df1e60fb83e
-
SHA1
0e51a45c5e08fbcfa8aa4382129cd44690f6df63
-
SHA256
413c242bae0ea6bcd5f06089f06afabc0b6f156192cbf7ac48f7b7e0379d02ae
-
SHA512
a90832515d127ab6982717d0eea020a4bd45b0a86a31d953816b637671e8b2bfe2f10f5fb24119f0d9c35ddb26db998d77e157ab791ad3cb23ef4482801dca3c
-
SSDEEP
12288:mxuADqjJ5nhZwSIAAG6N9OS0g0av0/2vahdq60+9MK:XjrhZbIAwN/01Duva/qQe
Malware Config
Extracted
Protocol: smtp- Host:
mail.sseximclearing.com - Port:
587 - Username:
saurav.roy@sseximclearing.com - Password:
Ssxm@9854
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INQUIRY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation INQUIRY.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
INQUIRY.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INQUIRY.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INQUIRY.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INQUIRY.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INQUIRY.exedescription pid process target process PID 3080 set thread context of 4712 3080 INQUIRY.exe INQUIRY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
INQUIRY.exeINQUIRY.exepid process 3080 INQUIRY.exe 4712 INQUIRY.exe 4712 INQUIRY.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INQUIRY.exeINQUIRY.exedescription pid process Token: SeDebugPrivilege 3080 INQUIRY.exe Token: SeDebugPrivilege 4712 INQUIRY.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
INQUIRY.exedescription pid process target process PID 3080 wrote to memory of 2776 3080 INQUIRY.exe schtasks.exe PID 3080 wrote to memory of 2776 3080 INQUIRY.exe schtasks.exe PID 3080 wrote to memory of 2776 3080 INQUIRY.exe schtasks.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe PID 3080 wrote to memory of 4712 3080 INQUIRY.exe INQUIRY.exe -
outlook_office_path 1 IoCs
Processes:
INQUIRY.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INQUIRY.exe -
outlook_win_path 1 IoCs
Processes:
INQUIRY.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INQUIRY.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nXDhmEqSsLbxOU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp33F1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp33F1.tmpFilesize
1KB
MD5e9c873325d76df712071b41fc32c09f4
SHA1bea1b97fd4912369d6a5ea8ee2a5ce3bd3aa785b
SHA256cd8deb1720e1ae3451df4b9286abfab20a0bae1f3dee84ca11a90003c8d89634
SHA512495387413ae4f48925d4afb55508b613c8d2c32524ffb745fdfe434f01643a39f63a34ee8eaed672300576893b612ffb82c67f99fe94941eec59dafd439b5752
-
memory/2776-138-0x0000000000000000-mapping.dmp
-
memory/3080-133-0x0000000000E60000-0x0000000000F2C000-memory.dmpFilesize
816KB
-
memory/3080-134-0x0000000005FD0000-0x0000000006574000-memory.dmpFilesize
5.6MB
-
memory/3080-135-0x00000000058D0000-0x0000000005962000-memory.dmpFilesize
584KB
-
memory/3080-136-0x0000000005A20000-0x0000000005ABC000-memory.dmpFilesize
624KB
-
memory/3080-137-0x00000000058C0000-0x00000000058CA000-memory.dmpFilesize
40KB
-
memory/4712-140-0x0000000000000000-mapping.dmp
-
memory/4712-141-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4712-142-0x0000000006530000-0x0000000006596000-memory.dmpFilesize
408KB
-
memory/4712-143-0x0000000006C60000-0x0000000006CB0000-memory.dmpFilesize
320KB