9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b

Analysis

max time kernel
176s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe
Size

955KB
MD5

b5ee64488aa5beb3adf36d0d652fa850
SHA1

cbad725f4f100d5d69ce64c08a950b9660d8cac0
SHA256

9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b
SHA512

660a68ed26777fad4dce546b8b3ec7f5b0b93d002a2d6bcdbb0860afb857e39a91b1cefb6767d6d0fba6d135dff07b16f8e4c6c837242fd85f2fd4fc55c8b99c
SSDEEP

24576:8wFBRvKloOA6wpgPOeqMlXAWdnsIqt365ONmL0lwq:8UvKlHwpgPOeFlQWiIqLNmL0l7

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1068	questbasic.exe
5108	questbasic117.exe
2684	questbasic.exe

Loads dropped DLL 3 IoCs

pid	Process
1068	questbasic.exe
5108	questbasic117.exe
2684	questbasic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\questbasic.exe	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\uninstall.exe	9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe
File created	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\SearchScopes	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\DisplayName = "QuestBasic"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\URL = "http://www.questbasic.com/?prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	questbasic117.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1068	questbasic.exe
1068	questbasic.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe
5108	questbasic117.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2684	questbasic.exe
2684	questbasic.exe
2684	questbasic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 1068	4164	9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe	81
PID 4164 wrote to memory of 1068	4164	9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe	81
PID 4164 wrote to memory of 1068	4164	9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe	81
PID 5108 wrote to memory of 2684	5108	questbasic117.exe	83
PID 5108 wrote to memory of 2684	5108	questbasic117.exe	83
PID 5108 wrote to memory of 2684	5108	questbasic117.exe	83

C:\Users\Admin\AppData\Local\Temp\9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe
"C:\Users\Admin\AppData\Local\Temp\9037bcdb122e1ee36abd49614bc06d563f8eeef10a8d70199454f88017aa667b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.exe
  "C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.exe" "C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.dll" utacopibul "-a " bulamucayefem
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

C:\ProgramData\QuestBasic\questbasic117.exe
"C:\ProgramData\QuestBasic\questbasic117.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" jizefare kepilaxun
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Program Files (x86)\QuestBasic\questbasic.exe
  "C:\Program Files (x86)\QuestBasic\questbasic.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" mewoyavab eyimewoy
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\QuestBasic\questbasic.dll

Filesize
868KB

MD5
3d03f7a47db29429ef67f4b5c5e8ace8

SHA1
2768610835fcce92815920b6feb62cc7f05330ea

SHA256
e52dc7cabb0966ba65f3b8e0fcc07cc8f82d8d07f6aa5e636c9ce9dfb63a5de0

SHA512
3144dbdae9438720b0f92d05de749fd17b4ca6b787bbaf839b6e33599a8860e1bf6d28dfc78ffd4d04aaf833ffea73d898d971a5aab439e53cee81fccb687101

Download Submit
C:\Program Files (x86)\QuestBasic\questbasic.dll

Filesize
868KB

MD5
3d03f7a47db29429ef67f4b5c5e8ace8

SHA1
2768610835fcce92815920b6feb62cc7f05330ea

SHA256
e52dc7cabb0966ba65f3b8e0fcc07cc8f82d8d07f6aa5e636c9ce9dfb63a5de0

SHA512
3144dbdae9438720b0f92d05de749fd17b4ca6b787bbaf839b6e33599a8860e1bf6d28dfc78ffd4d04aaf833ffea73d898d971a5aab439e53cee81fccb687101

Download Submit
C:\Program Files (x86)\QuestBasic\questbasic.dll

Filesize
868KB

MD5
3d03f7a47db29429ef67f4b5c5e8ace8

SHA1
2768610835fcce92815920b6feb62cc7f05330ea

SHA256
e52dc7cabb0966ba65f3b8e0fcc07cc8f82d8d07f6aa5e636c9ce9dfb63a5de0

SHA512
3144dbdae9438720b0f92d05de749fd17b4ca6b787bbaf839b6e33599a8860e1bf6d28dfc78ffd4d04aaf833ffea73d898d971a5aab439e53cee81fccb687101

Download Submit
C:\Program Files (x86)\QuestBasic\questbasic.exe

Filesize
22KB

MD5
d34d69b1b619132fc84320aa3f86d7d2

SHA1
18cb9b323cef4ec869092cef99db4e7fafc573fa

SHA256
c68d5778fc8da0283deb43cad740b3d4b3df3584c09e1dab4439ce5aa9d9f98b

SHA512
218191c8d3b68a53afb2f2a6615520c406fc851a1c5c709df0b7528990afddaf4b684d6e614fc4b70ac5d9c1dc89846290fbd8f4bae8377d5928e9b8b8e65f0c

Download Submit
C:\Program Files (x86)\QuestBasic\questbasic.exe

Filesize
22KB

MD5
d34d69b1b619132fc84320aa3f86d7d2

SHA1
18cb9b323cef4ec869092cef99db4e7fafc573fa

SHA256
c68d5778fc8da0283deb43cad740b3d4b3df3584c09e1dab4439ce5aa9d9f98b

SHA512
218191c8d3b68a53afb2f2a6615520c406fc851a1c5c709df0b7528990afddaf4b684d6e614fc4b70ac5d9c1dc89846290fbd8f4bae8377d5928e9b8b8e65f0c

Download Submit
C:\ProgramData\QuestBasic\questbasic117.exe

Filesize
22KB

MD5
d34d69b1b619132fc84320aa3f86d7d2

SHA1
18cb9b323cef4ec869092cef99db4e7fafc573fa

SHA256
c68d5778fc8da0283deb43cad740b3d4b3df3584c09e1dab4439ce5aa9d9f98b

SHA512
218191c8d3b68a53afb2f2a6615520c406fc851a1c5c709df0b7528990afddaf4b684d6e614fc4b70ac5d9c1dc89846290fbd8f4bae8377d5928e9b8b8e65f0c

Download Submit
C:\ProgramData\QuestBasic\questbasic117.exe

Filesize
22KB

MD5
d34d69b1b619132fc84320aa3f86d7d2

SHA1
18cb9b323cef4ec869092cef99db4e7fafc573fa

SHA256
c68d5778fc8da0283deb43cad740b3d4b3df3584c09e1dab4439ce5aa9d9f98b

SHA512
218191c8d3b68a53afb2f2a6615520c406fc851a1c5c709df0b7528990afddaf4b684d6e614fc4b70ac5d9c1dc89846290fbd8f4bae8377d5928e9b8b8e65f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.dll

Filesize
868KB

MD5
3d03f7a47db29429ef67f4b5c5e8ace8

SHA1
2768610835fcce92815920b6feb62cc7f05330ea

SHA256
e52dc7cabb0966ba65f3b8e0fcc07cc8f82d8d07f6aa5e636c9ce9dfb63a5de0

SHA512
3144dbdae9438720b0f92d05de749fd17b4ca6b787bbaf839b6e33599a8860e1bf6d28dfc78ffd4d04aaf833ffea73d898d971a5aab439e53cee81fccb687101

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.dll

Filesize
868KB

MD5
3d03f7a47db29429ef67f4b5c5e8ace8

SHA1
2768610835fcce92815920b6feb62cc7f05330ea

SHA256
e52dc7cabb0966ba65f3b8e0fcc07cc8f82d8d07f6aa5e636c9ce9dfb63a5de0

SHA512
3144dbdae9438720b0f92d05de749fd17b4ca6b787bbaf839b6e33599a8860e1bf6d28dfc78ffd4d04aaf833ffea73d898d971a5aab439e53cee81fccb687101

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.exe

Filesize
22KB

MD5
d34d69b1b619132fc84320aa3f86d7d2

SHA1
18cb9b323cef4ec869092cef99db4e7fafc573fa

SHA256
c68d5778fc8da0283deb43cad740b3d4b3df3584c09e1dab4439ce5aa9d9f98b

SHA512
218191c8d3b68a53afb2f2a6615520c406fc851a1c5c709df0b7528990afddaf4b684d6e614fc4b70ac5d9c1dc89846290fbd8f4bae8377d5928e9b8b8e65f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1271.tmp\questbasic.exe

Filesize
22KB

MD5
d34d69b1b619132fc84320aa3f86d7d2

SHA1
18cb9b323cef4ec869092cef99db4e7fafc573fa

SHA256
c68d5778fc8da0283deb43cad740b3d4b3df3584c09e1dab4439ce5aa9d9f98b

SHA512
218191c8d3b68a53afb2f2a6615520c406fc851a1c5c709df0b7528990afddaf4b684d6e614fc4b70ac5d9c1dc89846290fbd8f4bae8377d5928e9b8b8e65f0c

Download Submit
memory/1068-137-0x0000000002080000-0x0000000002151000-memory.dmp

Filesize
836KB

Download
memory/2684-155-0x0000000001FA0000-0x0000000002071000-memory.dmp

Filesize
836KB

Download
memory/5108-146-0x0000000000C90000-0x0000000000D61000-memory.dmp

Filesize
836KB

Download