c8fd9a4b8b5f728e5f1420d36bd45822e1be8e0887c0953825398dc758360aab

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 12:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

inquiry.exe
Size

876KB
MD5

beb116406043adf5d6fe5c688eae6d15
SHA1

f61c10b86ddad9dfde65ec4a923fedb253d52021
SHA256

5228429e6eefc6336ac71c6f0c7c8fbd2770451057a951657e338d1cdd5d6c80
SHA512

0005dc3a469a0d88208b9846611a13cefa7e996ffb7a12cd29f847b8c882eaf31a687e2e138e43379fbbb3a5dfe5174c4bbf58a17893ed116142ac1f48f40d25
SSDEEP

24576:jw4bjw4bBQ1mvhl5zJWunpgghRD7X84HYFZ7s:jw4bjw4bBQ+FWWpgUVHSBs

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 716 set thread context of 3344	716	inquiry.exe	97
PID 3344 set thread context of 3388	3344	RegSvcs.exe	56
PID 3344 set thread context of 1296	3344	RegSvcs.exe	100
PID 1296 set thread context of 3388	1296	iexpress.exe	56
PID 1296 set thread context of 2944	1296	iexpress.exe	108

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	iexpress.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
716	inquiry.exe
716	inquiry.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
3344	RegSvcs.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3344	RegSvcs.exe
3388	Explorer.EXE
3388	Explorer.EXE
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe
1296	iexpress.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	inquiry.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3388	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 3344	716	inquiry.exe	97
PID 716 wrote to memory of 3344	716	inquiry.exe	97
PID 716 wrote to memory of 3344	716	inquiry.exe	97
PID 716 wrote to memory of 3344	716	inquiry.exe	97
PID 716 wrote to memory of 3344	716	inquiry.exe	97
PID 716 wrote to memory of 3344	716	inquiry.exe	97
PID 3388 wrote to memory of 1296	3388	Explorer.EXE	100
PID 3388 wrote to memory of 1296	3388	Explorer.EXE	100
PID 3388 wrote to memory of 1296	3388	Explorer.EXE	100
PID 1296 wrote to memory of 2944	1296	iexpress.exe	108
PID 1296 wrote to memory of 2944	1296	iexpress.exe	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\inquiry.exe
  "C:\Users\Admin\AppData\Local\Temp\inquiry.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3344
- C:\Windows\SysWOW64\iexpress.exe
  "C:\Windows\SysWOW64\iexpress.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/716-12-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/716-1-0x0000000000240000-0x000000000031E000-memory.dmp

Filesize
888KB

Download
memory/716-2-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/716-3-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/716-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/716-5-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/716-6-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/716-7-0x0000000005010000-0x000000000502A000-memory.dmp

Filesize
104KB

Download
memory/716-8-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/716-9-0x0000000005F50000-0x0000000005FDA000-memory.dmp

Filesize
552KB

Download
memory/716-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

Filesize
4KB

Download
memory/1296-22-0x0000000002C90000-0x0000000002FDA000-memory.dmp

Filesize
3.3MB

Download
memory/1296-19-0x0000000000CD0000-0x0000000000D0F000-memory.dmp

Filesize
252KB

Download
memory/1296-26-0x0000000000CD0000-0x0000000000D0F000-memory.dmp

Filesize
252KB

Download
memory/1296-24-0x0000000002A90000-0x0000000002B2E000-memory.dmp

Filesize
632KB

Download
memory/1296-23-0x0000000000CD0000-0x0000000000D0F000-memory.dmp

Filesize
252KB

Download
memory/1296-20-0x0000000000CD0000-0x0000000000D0F000-memory.dmp

Filesize
252KB

Download
memory/2944-35-0x000002C2F4310000-0x000002C2F442A000-memory.dmp

Filesize
1.1MB

Download
memory/3344-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-13-0x0000000001580000-0x00000000018CA000-memory.dmp

Filesize
3.3MB

Download
memory/3344-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-17-0x00000000014A0000-0x00000000014BF000-memory.dmp

Filesize
124KB

Download
memory/3344-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3344-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3388-18-0x000000000D8D0000-0x000000000F3D0000-memory.dmp

Filesize
27.0MB

Download
memory/3388-25-0x000000000D8D0000-0x000000000F3D0000-memory.dmp

Filesize
27.0MB

Download
memory/3388-27-0x0000000008CE0000-0x0000000008D91000-memory.dmp

Filesize
708KB

Download
memory/3388-28-0x0000000008CE0000-0x0000000008D91000-memory.dmp

Filesize
708KB

Download
memory/3388-36-0x0000000008CE0000-0x0000000008D91000-memory.dmp

Filesize
708KB

Download