5a948b605fbabb59ea28244fdf05cc6980a82057fa1cc1138a1cba3569b9a294

General

Target

Inquiry Doc2pdf.exe
Size

732KB
MD5

cc9320801a411bae88d4293006f8fdd2
SHA1

00995a1f3b4f14ffc260f17a9d2294671832b861
SHA256

5a948b605fbabb59ea28244fdf05cc6980a82057fa1cc1138a1cba3569b9a294
SHA512

eb0e0f52e30c33613b86a4365af8134acb03d6b1c9c0310ea439da0192f79e8d7380bb10cccd81fb917e6979e6fc59c2809473d54df47ca9da458a475ad27c3b
SSDEEP

12288:LdTKGZrAHW3XVcJsWcv6QL8B2rA4tO5yoEZSsc2RUzSZQ1HkLdU+0bS:L/SpHcv3rAeO5VEIscnmyb

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 1488	1200	Inquiry Doc2pdf.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3000	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3000	1200	Inquiry Doc2pdf.exe	28
PID 1200 wrote to memory of 3000	1200	Inquiry Doc2pdf.exe	28
PID 1200 wrote to memory of 3000	1200	Inquiry Doc2pdf.exe	28
PID 1200 wrote to memory of 2772	1200	Inquiry Doc2pdf.exe	31
PID 1200 wrote to memory of 2772	1200	Inquiry Doc2pdf.exe	31
PID 1200 wrote to memory of 2772	1200	Inquiry Doc2pdf.exe	31
PID 1200 wrote to memory of 2712	1200	Inquiry Doc2pdf.exe	32
PID 1200 wrote to memory of 2712	1200	Inquiry Doc2pdf.exe	32
PID 1200 wrote to memory of 2712	1200	Inquiry Doc2pdf.exe	32
PID 1200 wrote to memory of 1488	1200	Inquiry Doc2pdf.exe	34
PID 1200 wrote to memory of 1488	1200	Inquiry Doc2pdf.exe	34
PID 1200 wrote to memory of 1488	1200	Inquiry Doc2pdf.exe	34
PID 1200 wrote to memory of 1488	1200	Inquiry Doc2pdf.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Inquiry Doc2pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Doc2pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Inquiry Doc2pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\arERSuoa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\arERSuoa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\Inquiry Doc2pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Inquiry Doc2pdf.exe"
  2⤵
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp

Filesize
1KB

MD5
121288245a317dca4e50e954bed83f04

SHA1
44eea38efdc42fd5009f035f186e28b7fa29c061

SHA256
461adb24c81ecca442f4aea87cb2934ae1d8466b94154a75f5a097168ba11da1

SHA512
ef301267c279573fafcb71b5ef69c04a63e2ace61b8510031000e08d89df7d52c4d63e0d3bdc43bdbae6471da888a1bfe3153197f2aae081b8f82b3ec55ac8fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
555e68ed1560e2e67ad8e9cd0b8203af

SHA1
0bb56a39b64ecf411b81400db8bafeb1524f40d4

SHA256
9827cb47b7869fbbc74b4382fb57e3e01b012ca7c65cfc3725800ace9fe701b8

SHA512
e02f0556520649ebaa171bee559a26faa51b5626d396ee67c9060228c4724eb4ddc99e2acd63b0b9daf7d703c0667c853778d6d15a6896d3fa89a67ca3a32fd3

Download Submit
memory/1200-0-0x000000013FD40000-0x000000013FDFC000-memory.dmp

Filesize
752KB

Download
memory/1200-1-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/1200-2-0x000000001BD90000-0x000000001BE10000-memory.dmp

Filesize
512KB

Download
memory/1200-3-0x0000000000780000-0x000000000079A000-memory.dmp

Filesize
104KB

Download
memory/1200-4-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/1200-5-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/1200-6-0x000000001BCC0000-0x000000001BD40000-memory.dmp

Filesize
512KB

Download
memory/1200-40-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/1200-14-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

Filesize
9.9MB

Download
memory/1488-32-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2772-31-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2772-33-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2772-39-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-36-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2772-28-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2772-29-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-35-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-25-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/3000-16-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/3000-34-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/3000-30-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-24-0x000007FEEDB80000-0x000007FEEE51D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-26-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/3000-27-0x0000000002B40000-0x0000000002BC0000-memory.dmp

Filesize
512KB

Download
memory/3000-13-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads