13c8b5654a48f32ee692c3c37159ed331ed6807f3267a3c5c354e7f1e257267c

Analysis

max time kernel
149s
max time network
160s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7d6c723ed94f9a00d871dac004b2b9.exe
Size

955KB
MD5

0e7d6c723ed94f9a00d871dac004b2b9
SHA1

b8d271862a0fbacbcc72cd206928d01860766b52
SHA256

13c8b5654a48f32ee692c3c37159ed331ed6807f3267a3c5c354e7f1e257267c
SHA512

214a9f1c1d66864accce595288086820682c7e8edc1600f4715b1b7db6bf5e1b8c016d603a1d94b6f569b2bea0c6c4f860bf93f58cf6c2ee46cdeefaeb4879ea
SSDEEP

24576:dkgJqV1bveC/Z4XwseZCGYYTkGhcRszdBb:dkg0JZgwhFzhldd

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2792	questbasic.exe
2856	questbasic117.exe
2604	questbasic.exe

Loads dropped DLL 10 IoCs

pid	Process
3064	0e7d6c723ed94f9a00d871dac004b2b9.exe
3064	0e7d6c723ed94f9a00d871dac004b2b9.exe
2792	questbasic.exe
2792	questbasic.exe
2792	questbasic.exe
2792	questbasic.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2604	questbasic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	questbasic117.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\88EH0AWK.htm	questbasic117.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QuestBasic\uninstall.exe	0e7d6c723ed94f9a00d871dac004b2b9.exe
File created	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File opened for modification	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\questbasic.exe	questbasic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015c1d-43.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\DisplayName = "QuestBasic"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\URL = "http://www.questbasic.com/?prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback.Save = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}	questbasic.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7BE0A32-7D26-4325-A984-A24498B927D7}\WpadDecisionTime = 60083ff52737da01	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-54-51-c8-57-53\WpadDecision = "0"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7BE0A32-7D26-4325-A984-A24498B927D7}\WpadNetworkName = "Network 3"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7BE0A32-7D26-4325-A984-A24498B927D7}\72-54-51-c8-57-53	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-54-51-c8-57-53\WpadDecisionReason = "1"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7BE0A32-7D26-4325-A984-A24498B927D7}\WpadDecision = "0"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-54-51-c8-57-53	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7BE0A32-7D26-4325-A984-A24498B927D7}	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B7BE0A32-7D26-4325-A984-A24498B927D7}\WpadDecisionReason = "1"	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-54-51-c8-57-53\WpadDecisionTime = 60083ff52737da01	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	questbasic117.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	questbasic.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe
2856	questbasic117.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2604	questbasic.exe
2604	questbasic.exe
2604	questbasic.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 3064 wrote to memory of 2792	3064	0e7d6c723ed94f9a00d871dac004b2b9.exe	28
PID 2856 wrote to memory of 2604	2856	questbasic117.exe	30
PID 2856 wrote to memory of 2604	2856	questbasic117.exe	30
PID 2856 wrote to memory of 2604	2856	questbasic117.exe	30
PID 2856 wrote to memory of 2604	2856	questbasic117.exe	30

C:\Users\Admin\AppData\Local\Temp\0e7d6c723ed94f9a00d871dac004b2b9.exe
"C:\Users\Admin\AppData\Local\Temp\0e7d6c723ed94f9a00d871dac004b2b9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\questbasic.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\questbasic.exe" "C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\questbasic.dll" xinofiki "-a " nuciririxuboc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

C:\ProgramData\QuestBasic\questbasic117.exe
"C:\ProgramData\QuestBasic\questbasic117.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" peyabeqe elowowopus
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files (x86)\QuestBasic\questbasic.exe
  "C:\Program Files (x86)\QuestBasic\questbasic.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" lejijeroc ruzafiqa
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\QuestBasic\questbasic.dll

Filesize
31KB

MD5
21a620adfaaa1d56f77359e224a94c59

SHA1
da76371f6bcc4dd4a48da38dfa07f60ea57e1371

SHA256
6a63744567450cf89521e07d4ccb14f1143540d4ff67eeab66f117bbf3a154b6

SHA512
cb4b8b2e367f35b4235d66bc95daf9c6f2fdf4cf96da92dd91dd5fa05d6fafc7e5da922ef5efc24f4337ce6dccd1306e39826d989edfa322f54798b50997a3c7

Download Submit
C:\Program Files (x86)\QuestBasic\questbasic.exe

Filesize
18KB

MD5
1ccbd1be9a44bd78de901c9a0c3ca428

SHA1
c4798f525e49cd6ff557846e15209f9ad8c1268f

SHA256
17ad4daf902e494daa26910e3c6886ea4e503e794e26dada884018810db75b97

SHA512
1f5c642da51fdd00e377cb961385a5f1cb0934c99411243f8ac295b793b487ccae27fa10e0a99733c5cb1337641d3277e47cb9d9d2a7cac9641ec704c0f806e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\questbasic.dll

Filesize
105KB

MD5
27d71ab2eae28ed0ce77b7b117e65aa5

SHA1
941614d4ac4dc0b6cd74751a1f65ab58ec60df62

SHA256
d99f23e62b9341965bc47e6eeff7f02ccd38e2f948a7120d32352bc75918f805

SHA512
86b7bbe361ac442f5f09411fe1ea6cab4ea1a06abc0b4fdd99bc02ad7688af773246f383b019530fdd6061b70d6cb0a44e591022ca5680a698faa14bceef6a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\questbasic.exe

Filesize
22KB

MD5
470035efbb0cca2a90a72f91e8acc15d

SHA1
1eab3267fba9da615640927356adf43c37316243

SHA256
bc1192946baaff780ebe8a6c1b9d527ea861a8f61c265bb29dcf733bdd8e8cc1

SHA512
d76022c7ef7df4bdb8d04b07bcb1396d4dbc6fd6a2925c0df4ca719d8bcb2c381ddb46832c03b03d32db8d601c2b6c2d98da1cb72971dcbd6f4aac9b5b795ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\uninstall.exe

Filesize
25KB

MD5
50af6d8229b5993c386ef0b31ad5b2b5

SHA1
651850bf47a2aa48ed21d906e8784a23989c110f

SHA256
22901f0558670991117c83bed99b69959221967aa9314df613e462fac4e38df5

SHA512
39951d154e2484af8b8e25b4117976b50814f22f2f5178337e44be391a769e1a353482d7a496b2bafae346cce0cfb1e55461b41a7737e4f6d30daf3ab0dd703b

Download Submit
\Program Files (x86)\QuestBasic\questbasic.dll

Filesize
42KB

MD5
72422393235bd27a303ff4b391a82cfe

SHA1
9dff63019760f444e9a2f7035df33fcd3e10887d

SHA256
9b70a8ee67a6deb732546e13815de11d6da4dd4005ab8c831f4eeae396055256

SHA512
51a767d4875c90e7b4b0d4a8c7390cf5cf72f9d182c970f1a66a178752fbda458f6436ec9cb67571eee01b0bf0e42662e0aef78309e0da715b025ea501efaf42

Download Submit
\Program Files (x86)\QuestBasic\questbasic.dll

Filesize
13KB

MD5
a139470f357911ec80422c581fec4f88

SHA1
5f4fcc22c8c74ffca39d58467be5cac77b75a0fb

SHA256
f9e09d9c4a9522881d71a56191389aaa6e979f5b43775bb1e30b9b5ee30ee70e

SHA512
1a74289b63fd057fca6d26d4ee1e478629ad57f0babec31d8805193c9e49b35a965536bf08ce48a62bcbf90cc22c11a2c5bccf39611c40e92d46db09ffa6a48b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\questbasic.dll

Filesize
64KB

MD5
bc6cb21afc09823e8a7976a63a3bf29d

SHA1
26099269cd54c3567c0373fd7b4c8040b16e1b3f

SHA256
925964fda64d67d17d62517363f36251308e8f687bee4a3b58254244f8292a63

SHA512
f8800852c7e4137a2a3a052fbe7ca541c7392eb6df6cb05faebbea8a78e680e98fccf7e905255f25a6168fb808ff2bb7ecec77f823e92bf886edc89720c14135

Download Submit
memory/2604-53-0x0000000001D70000-0x0000000001E41000-memory.dmp

Filesize
836KB

Download
memory/2792-22-0x0000000000900000-0x00000000009D1000-memory.dmp

Filesize
836KB

Download
memory/2856-32-0x0000000000630000-0x0000000000701000-memory.dmp

Filesize
836KB

Download