Analysis
-
max time kernel
595s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry.js
Resource
win7-20220901-en
General
-
Target
Inquiry.js
-
Size
1.3MB
-
MD5
443caa6bef67a2be0e4bcec86619683e
-
SHA1
24801da9b7ee6f3bea3a877b4f2e1e5592d27a7c
-
SHA256
772fd8b1137becb5b3697fb1e10ba79f31367c7402d06235f96fc214d0338327
-
SHA512
eccc636da9661159c0e500e4eaa3cda94f1ceb220c766459e97ca759c289a0e70522f4cd12d60a4aa6d1ac98a2ef8594c0aff49976087397711cf3b1edbfe6d6
-
SSDEEP
24576:dwgFD4BiYRWfbd/RgU+FnkCt3fANRbonYMk37CMYY3lPg:dwgFD2ic6hRgU+1RuPoeYYK
Malware Config
Signatures
-
Blocklisted process makes network request 57 IoCs
Processes:
wscript.exeflow pid process 5 1824 wscript.exe 27 1824 wscript.exe 42 1824 wscript.exe 94 1824 wscript.exe 96 1824 wscript.exe 102 1824 wscript.exe 105 1824 wscript.exe 106 1824 wscript.exe 109 1824 wscript.exe 110 1824 wscript.exe 111 1824 wscript.exe 112 1824 wscript.exe 113 1824 wscript.exe 114 1824 wscript.exe 115 1824 wscript.exe 116 1824 wscript.exe 117 1824 wscript.exe 118 1824 wscript.exe 119 1824 wscript.exe 120 1824 wscript.exe 121 1824 wscript.exe 122 1824 wscript.exe 123 1824 wscript.exe 124 1824 wscript.exe 125 1824 wscript.exe 126 1824 wscript.exe 127 1824 wscript.exe 128 1824 wscript.exe 129 1824 wscript.exe 130 1824 wscript.exe 134 1824 wscript.exe 135 1824 wscript.exe 136 1824 wscript.exe 137 1824 wscript.exe 138 1824 wscript.exe 139 1824 wscript.exe 140 1824 wscript.exe 141 1824 wscript.exe 142 1824 wscript.exe 143 1824 wscript.exe 144 1824 wscript.exe 145 1824 wscript.exe 146 1824 wscript.exe 147 1824 wscript.exe 148 1824 wscript.exe 149 1824 wscript.exe 150 1824 wscript.exe 151 1824 wscript.exe 152 1824 wscript.exe 153 1824 wscript.exe 154 1824 wscript.exe 155 1824 wscript.exe 156 1824 wscript.exe 157 1824 wscript.exe 158 1824 wscript.exe 159 1824 wscript.exe 160 1824 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Payload (3).exepid process 4968 Payload (3).exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygXhKsdexe.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygXhKsdexe.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ipinfo.io 12 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Payload (3).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Payload (3).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payload (3).exedescription pid process Token: SeDebugPrivilege 4968 Payload (3).exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 3228 wrote to memory of 1824 3228 wscript.exe wscript.exe PID 3228 wrote to memory of 1824 3228 wscript.exe wscript.exe PID 3228 wrote to memory of 4968 3228 wscript.exe Payload (3).exe PID 3228 wrote to memory of 4968 3228 wscript.exe Payload (3).exe PID 3228 wrote to memory of 4968 3228 wscript.exe Payload (3).exe -
outlook_office_path 1 IoCs
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe -
outlook_win_path 1 IoCs
Processes:
Payload (3).exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payload (3).exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Inquiry.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ygXhKsdexe.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"C:\Users\Admin\AppData\Local\Temp\Payload (3).exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Payload (3).exeFilesize
755KB
MD53e8af9fffb1b980b193508f6a8a8cdc3
SHA1e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11
-
C:\Users\Admin\AppData\Local\Temp\Payload (3).exeFilesize
755KB
MD53e8af9fffb1b980b193508f6a8a8cdc3
SHA1e91e6f525952ae5a812d3cd3a795c6aeca94e527
SHA256ba055f5ffcf5c345e37307673717f11319326e5c4b621f336b76c4826b09f7cc
SHA512072bac20632cc30aa99715e4d5f508eab6a5b143704a0cdbbf0f5f22f86f4c02204efb1eb4acf8eeca97622c074bed2aa333119e842040e34ab55bff219a1f11
-
C:\Users\Admin\AppData\Roaming\ygXhKsdexe.jsFilesize
6KB
MD5f5900623d262e28b5b5169d4307406df
SHA11eba3a193e440e9373133f69cff2f9cff6373189
SHA2569530c305096a7bc5443c50079a77e7aee12d6dea1770f279ccf8f6e5f149f334
SHA512d0ed8912d5ff927bfa0f05616f4712dbf6a60349839d4722691c02eb7cb0ebf2d1f1cbbe8becd1a77b5c71821b623323811d9255d1f8b9060cb928f31a996f97
-
memory/1824-132-0x0000000000000000-mapping.dmp
-
memory/4968-134-0x0000000000000000-mapping.dmp
-
memory/4968-137-0x0000000000D40000-0x0000000000E04000-memory.dmpFilesize
784KB
-
memory/4968-138-0x0000000007C90000-0x0000000007CF6000-memory.dmpFilesize
408KB
-
memory/4968-139-0x0000000009190000-0x00000000091B2000-memory.dmpFilesize
136KB
-
memory/4968-140-0x0000000009160000-0x000000000916A000-memory.dmpFilesize
40KB
-
memory/4968-141-0x00000000095D0000-0x00000000095E2000-memory.dmpFilesize
72KB