13c8b5654a48f32ee692c3c37159ed331ed6807f3267a3c5c354e7f1e257267c

Analysis

max time kernel
162s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7d6c723ed94f9a00d871dac004b2b9.exe
Size

955KB
MD5

0e7d6c723ed94f9a00d871dac004b2b9
SHA1

b8d271862a0fbacbcc72cd206928d01860766b52
SHA256

13c8b5654a48f32ee692c3c37159ed331ed6807f3267a3c5c354e7f1e257267c
SHA512

214a9f1c1d66864accce595288086820682c7e8edc1600f4715b1b7db6bf5e1b8c016d603a1d94b6f569b2bea0c6c4f860bf93f58cf6c2ee46cdeefaeb4879ea
SSDEEP

24576:dkgJqV1bveC/Z4XwseZCGYYTkGhcRszdBb:dkg0JZgwhFzhldd

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2992	questbasic.exe
2748	questbasic117.exe
1640	questbasic.exe

Loads dropped DLL 10 IoCs

pid	Process
1904	0e7d6c723ed94f9a00d871dac004b2b9.exe
1904	0e7d6c723ed94f9a00d871dac004b2b9.exe
2992	questbasic.exe
2992	questbasic.exe
2992	questbasic.exe
2992	questbasic.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
1640	questbasic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	questbasic117.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File opened for modification	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\questbasic.exe	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\uninstall.exe	0e7d6c723ed94f9a00d871dac004b2b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0034000000015dd6-43.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\DisplayName = "QuestBasic"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\URL = "http://www.questbasic.com/?prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback.Save = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BDDACA89-4509-497A-BC2E-F7C64FB13C23}\52-2e-7c-7e-ba-56	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BDDACA89-4509-497A-BC2E-F7C64FB13C23}	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BDDACA89-4509-497A-BC2E-F7C64FB13C23}\WpadDecision = "0"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BDDACA89-4509-497A-BC2E-F7C64FB13C23}\WpadNetworkName = "Network 2"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2e-7c-7e-ba-56	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BDDACA89-4509-497A-BC2E-F7C64FB13C23}\WpadDecisionTime = 80f3f130c338da01	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2e-7c-7e-ba-56\WpadDecisionReason = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2e-7c-7e-ba-56\WpadDecision = "0"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BDDACA89-4509-497A-BC2E-F7C64FB13C23}\WpadDecisionReason = "1"	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2e-7c-7e-ba-56\WpadDecisionTime = 80f3f130c338da01	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	questbasic117.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	questbasic117.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	questbasic.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe
2748	questbasic117.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1640	questbasic.exe
1640	questbasic.exe
1640	questbasic.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 1904 wrote to memory of 2992	1904	0e7d6c723ed94f9a00d871dac004b2b9.exe	27
PID 2748 wrote to memory of 1640	2748	questbasic117.exe	29
PID 2748 wrote to memory of 1640	2748	questbasic117.exe	29
PID 2748 wrote to memory of 1640	2748	questbasic117.exe	29
PID 2748 wrote to memory of 1640	2748	questbasic117.exe	29

C:\Users\Admin\AppData\Local\Temp\0e7d6c723ed94f9a00d871dac004b2b9.exe
"C:\Users\Admin\AppData\Local\Temp\0e7d6c723ed94f9a00d871dac004b2b9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\nsy8AC4.tmp\questbasic.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy8AC4.tmp\questbasic.exe" "C:\Users\Admin\AppData\Local\Temp\nsy8AC4.tmp\questbasic.dll" xinofiki "-a " nuciririxuboc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

C:\ProgramData\QuestBasic\questbasic117.exe
"C:\ProgramData\QuestBasic\questbasic117.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" peyabeqe elowowopus
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files (x86)\QuestBasic\questbasic.exe
  "C:\Program Files (x86)\QuestBasic\questbasic.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" lejijeroc ruzafiqa
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy8AC4.tmp\questbasic.dll

Filesize
868KB

MD5
8a46a31c1b067712f9b63babd0baf3b7

SHA1
1dca92501cfd20a61d83e0de053053bc46584bff

SHA256
f618456317634af3b4e4eb8d239c5a2ec765f34c80b94e5c85329b105879acd4

SHA512
4f4e109fc48ff05d7d946d9929f542b3d0ad937cfc85a0be398875d95f7c92524a893974cf6373c3a4153896755f1a606f23fc8d2e58e5ad1cdc6154200f3821

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8AC4.tmp\questbasic.exe

Filesize
22KB

MD5
470035efbb0cca2a90a72f91e8acc15d

SHA1
1eab3267fba9da615640927356adf43c37316243

SHA256
bc1192946baaff780ebe8a6c1b9d527ea861a8f61c265bb29dcf733bdd8e8cc1

SHA512
d76022c7ef7df4bdb8d04b07bcb1396d4dbc6fd6a2925c0df4ca719d8bcb2c381ddb46832c03b03d32db8d601c2b6c2d98da1cb72971dcbd6f4aac9b5b795ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8AC4.tmp\uninstall.exe

Filesize
78KB

MD5
927cfd923d11be469786408bf160ec2c

SHA1
01689269646b309a100f2486c623be00e540343a

SHA256
a33af05a3137bce0a6b05336749625686620d5d934867ccc70d80bfd855e5498

SHA512
0bc4a9a315831989d0fb85c24de16ab44c37013f82e221aa00faa51ab980181abaaf6e3e0c9cd313530b255355058f31a157b9b73b2a8340addfb1ad3b2b47a1

Download Submit
memory/1640-53-0x0000000001C30000-0x0000000001D01000-memory.dmp

Filesize
836KB

Download
memory/2748-32-0x0000000000940000-0x0000000000A11000-memory.dmp

Filesize
836KB

Download
memory/2992-22-0x0000000000410000-0x00000000004E1000-memory.dmp

Filesize
836KB

Download