Overview

overview

10

Static

static

3

Inquiry.exe

windows7-x64

10

Inquiry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2024 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry.exe

  • Size

    602KB

  • MD5

    cdef16a2a2116cd907aa817b11217cfd

  • SHA1

    d23ba1f017c0e65ba65203c889a2bea963d63d3a

  • SHA256

    da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6

  • SHA512

    9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae

  • SSDEEP

    12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 5 IoCs
  • Detects executables packed with or use KoiVM 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2700
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp54D4.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2548
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
          4⤵
            PID:2468
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
              PID:2488

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp54D4.tmp.bat
        Filesize

        151B

        MD5

        9f88b38e03886641a432f95be1b0c7ac

        SHA1

        79ed46073d9d3a16bb4083facfc95f74fc1d6017

        SHA256

        cf4b2940a6920fe940ef1cd25c0c47460477918b200f79a643794d57b493fc73

        SHA512

        000317761dbf88a42fd462b5173267ffd8ebdd4ee007e0df1763a2cc55d08b41726dc21b2a1d0596844b7a10b0ba5f12b02200f0cefdfc7464da8088327bf308

        Download Submit
      • \Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        602KB

        MD5

        cdef16a2a2116cd907aa817b11217cfd

        SHA1

        d23ba1f017c0e65ba65203c889a2bea963d63d3a

        SHA256

        da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6

        SHA512

        9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae

        Download Submit
      • memory/1932-0-0x0000000001170000-0x0000000001178000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1932-1-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/1932-2-0x000000001B120000-0x000000001B1A0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1932-3-0x000000001B3F0000-0x000000001B486000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1932-13-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2424-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2424-38-0x0000000074300000-0x00000000749EE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2424-37-0x0000000004C90000-0x0000000004CD0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2424-36-0x0000000074300000-0x00000000749EE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2468-22-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2468-21-0x0000000000400000-0x0000000000442000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2708-18-0x0000000000810000-0x0000000000818000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2708-32-0x000007FEF4A90000-0x000007FEF547C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2708-19-0x000007FEF4A90000-0x000007FEF547C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2708-20-0x000000001AB80000-0x000000001AC00000-memory.dmp
        Filesize

        512KB

        Download