13c8b5654a48f32ee692c3c37159ed331ed6807f3267a3c5c354e7f1e257267c

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7d6c723ed94f9a00d871dac004b2b9.exe
Size

955KB
MD5

0e7d6c723ed94f9a00d871dac004b2b9
SHA1

b8d271862a0fbacbcc72cd206928d01860766b52
SHA256

13c8b5654a48f32ee692c3c37159ed331ed6807f3267a3c5c354e7f1e257267c
SHA512

214a9f1c1d66864accce595288086820682c7e8edc1600f4715b1b7db6bf5e1b8c016d603a1d94b6f569b2bea0c6c4f860bf93f58cf6c2ee46cdeefaeb4879ea
SSDEEP

24576:dkgJqV1bveC/Z4XwseZCGYYTkGhcRszdBb:dkg0JZgwhFzhldd

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4648	questbasic.exe
448	questbasic117.exe
3768	questbasic.exe

Loads dropped DLL 3 IoCs

pid	Process
4648	questbasic.exe
448	questbasic117.exe
3768	questbasic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	questbasic117.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	questbasic117.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	questbasic117.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	questbasic117.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\NFTIZ05A.htm	questbasic117.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File opened for modification	C:\Program Files (x86)\QuestBasic\questbasic.dll	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\questbasic.exe	questbasic.exe
File created	C:\Program Files (x86)\QuestBasic\uninstall.exe	0e7d6c723ed94f9a00d871dac004b2b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\SearchScopes	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\DisplayName = "QuestBasic"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\URL = "http://www.questbasic.com/?prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\TopResultURLFallback = "http://www.questbasic.com/?tmp=redir_bho_bing&dist=0&prt=QUESTBASIC117&keywords={searchTerms}"	questbasic.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	questbasic117.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	questbasic117.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	questbasic117.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	questbasic117.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4648	questbasic.exe
4648	questbasic.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe
448	questbasic117.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3768	questbasic.exe
3768	questbasic.exe
3768	questbasic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 4648	1872	0e7d6c723ed94f9a00d871dac004b2b9.exe	96
PID 1872 wrote to memory of 4648	1872	0e7d6c723ed94f9a00d871dac004b2b9.exe	96
PID 1872 wrote to memory of 4648	1872	0e7d6c723ed94f9a00d871dac004b2b9.exe	96
PID 448 wrote to memory of 3768	448	questbasic117.exe	94
PID 448 wrote to memory of 3768	448	questbasic117.exe	94
PID 448 wrote to memory of 3768	448	questbasic117.exe	94

C:\Users\Admin\AppData\Local\Temp\0e7d6c723ed94f9a00d871dac004b2b9.exe
"C:\Users\Admin\AppData\Local\Temp\0e7d6c723ed94f9a00d871dac004b2b9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\questbasic.exe
  "C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\questbasic.exe" "C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\questbasic.dll" xinofiki "-a " nuciririxuboc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4648

C:\Program Files (x86)\QuestBasic\questbasic.exe
"C:\Program Files (x86)\QuestBasic\questbasic.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" lejijeroc ruzafiqa
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3768

C:\ProgramData\QuestBasic\questbasic117.exe
"C:\ProgramData\QuestBasic\questbasic117.exe" "C:\Program Files (x86)\QuestBasic\questbasic.dll" peyabeqe elowowopus
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\questbasic.dll

Filesize
95KB

MD5
557cd263a057b229463048de3662619b

SHA1
f89eb5bb4d30dbf884a351a9bd8dc8f1706b69c8

SHA256
9d11019ae7c974f10e6db55de92fa6ac3e6567c83fcbda8f5eb4e3e4225423bb

SHA512
291646b4090b6521a8b6f8674a2dd7ac91fb9249f435dfa50adc490d9d69abb16cceb43083d210bbd983da81e05863d573d5dfc7db34800023e07de8a69f1899

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\questbasic.dll

Filesize
92KB

MD5
93491e26f20fea158892b04e84e53a45

SHA1
7d8d04488f87defeb0c34a6da71284388e3f0b9c

SHA256
9adf3da8be4edd31f7540bb85c7c095327cfde5215a19a47342e058585229899

SHA512
273f81e5f8a09883a98540f1686a10fd39f1a7edae6ab6f6156d778a834d54f49c69009236cae93445cfe4643e885c67b4b73db6165cd96ea61f606b7140243e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\questbasic.exe

Filesize
22KB

MD5
470035efbb0cca2a90a72f91e8acc15d

SHA1
1eab3267fba9da615640927356adf43c37316243

SHA256
bc1192946baaff780ebe8a6c1b9d527ea861a8f61c265bb29dcf733bdd8e8cc1

SHA512
d76022c7ef7df4bdb8d04b07bcb1396d4dbc6fd6a2925c0df4ca719d8bcb2c381ddb46832c03b03d32db8d601c2b6c2d98da1cb72971dcbd6f4aac9b5b795ff2

Download Submit
memory/448-26-0x0000000000D10000-0x0000000000DE1000-memory.dmp

Filesize
836KB

Download
memory/3768-46-0x00000000020C0000-0x0000000002191000-memory.dmp

Filesize
836KB

Download
memory/4648-15-0x00000000006C0000-0x0000000000791000-memory.dmp

Filesize
836KB

Download