Analysis
-
max time kernel
151s -
max time network
280s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29-11-2024 13:26
General
-
Target
Inquiry 241128.exe
-
Size
896KB
-
MD5
bab35b6fe111a241883bdbd3f9996a30
-
SHA1
9901d14b05a9e8305a4660ead1a334571f7017fe
-
SHA256
2c67cd53627199ab4741a3fe73a317b1f91fd46544e06ed251b8ab8b444170a8
-
SHA512
d2be9b3dc1472cb8ca4cd110f09cd3e305ffa3dafa2725fd41eec601505a0ffabc68322f9a28d6548d8bfe9ce14a9cdc9e9a6f038fa7856cf7b32b9301aa77bb
-
SSDEEP
24576:k2xj0BZodxnaB89JG0Z7dFXue45xMP9LCnYnL:H+BZ0hBG0Z7+eOOPAnY
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oklxWiuHrvEbN.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oklxWiuHrvEbN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp191.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry 241128.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5ffeda31b363a778afd6fc514d7e3f12f
SHA16bed075ae8baf94e611890f6d79b25d78e2462e7
SHA25667918eef793da40e77d66f5ee6a3e39568d876afd40067cbf1db14a433a6d21e
SHA512c556ff240fa21651ca61a2a07df3f97723e52c9910897913a1724388c3c3ccd42926e5abe34f088f8f2f932f5024cb8b6382e91eac891f846ef4dbf62bc6b35e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5a54684baedd791677398cd6d462c4289
SHA1adf53c15df47a7074eaa54ab93d1a2c1f4928add
SHA256740735d2447524ce74624dd5e35b41497ef4ef86a48a613fdbc40de7bb03b2a0
SHA512d5b3d92fb5700c04e5e949e82717a55a71da3f9b5ce77bdc9b6241d28b0678d1cc605d0dc8d7b9afe117125c79eb5c2a753c36fcdda2657fb9544fc957ae4a44
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
920KB
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
284KB