f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/QuickStores_Unlocker.exe
Size

425KB
MD5

13e66d856d535b6739c1c634d915e0a8
SHA1

8b8a2b930b31fbde7243d64fa03073fbfdfd85fd
SHA256

40ad334f59cf5d27fb60cf3ce0e2ce423c781ec00b9e2a8d98aca91c6db7ecf2
SHA512

921398bdfb0e1a755adf228fb0b8f29404c1bc8c7d784618ae3223af85625510c0c5d42020368f3b0def70403bf62752bbafd8f62e86e9ad05001182aa923cb7
SSDEEP

6144:x/20g715fltZaDXy6VhYYFpPuZaSHQwNrj15WHMokC6ml6x8gtV81ohySfS:p20g7JtZaNzYworj1Ysokk6ig81ifS

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5024	QuickStores_Unlocker.tmp

Loads dropped DLL 7 IoCs

pid	Process
5024	QuickStores_Unlocker.tmp
5024	QuickStores_Unlocker.tmp
5024	QuickStores_Unlocker.tmp
5024	QuickStores_Unlocker.tmp
5024	QuickStores_Unlocker.tmp
5024	QuickStores_Unlocker.tmp
5024	QuickStores_Unlocker.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	QuickStores_Unlocker.tmp
File opened for modification	C:\Windows\assembly\Desktop.ini	QuickStores_Unlocker.tmp

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}	QuickStores_Unlocker.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\NoExplorer = "1"	QuickStores_Unlocker.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\assembly\ngenlock.dat	QuickStores_Unlocker.tmp
File created	C:\Windows\assembly\tmp\30ROE94Y\Update.exe	QuickStores_Unlocker.tmp
File created	C:\Windows\assembly\tmp\ZJ7UBF2L\Interop.SHDocVw.dll	QuickStores_Unlocker.tmp
File created	C:\Windows\assembly\GACLock.dat	QuickStores_Unlocker.tmp
File created	C:\Windows\assembly\tmp\5ZY4HSUI\QuickStoresToolbar.dll	QuickStores_Unlocker.tmp
File opened for modification	C:\Windows\assembly	QuickStores_Unlocker.tmp
File created	C:\Windows\assembly\Desktop.ini	QuickStores_Unlocker.tmp
File opened for modification	C:\Windows\assembly\Desktop.ini	QuickStores_Unlocker.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickStores_Unlocker.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuickStores_Unlocker.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} = "QuickStores-Toolbar"	QuickStores_Unlocker.tmp
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	QuickStores_Unlocker.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	QuickStores_Unlocker.tmp

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories\{00021494-0000-0000-C000-000000000046}	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\ = "QuickStores-Toolbar"	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\Assembly = "QuickStoresToolbar, Version=1.1.0.0, Culture=neutral, PublicKeyToken=318d21d4b0463a3b"	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\MenuText = "QuickStores-Toolbar"	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\ = "mscoree.dll"	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\Class = "QuickStoresToolbar.QuickStoresToolbar"	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\RuntimeVersion = "v2.0.50727"	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\HelpText = "This is a free QuickStores-Toolbar."	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories	QuickStores_Unlocker.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\ThreadingModel = "Both"	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories\{00021494-0000-0000-C000-000000000046}	QuickStores_Unlocker.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32	QuickStores_Unlocker.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5024	QuickStores_Unlocker.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 5024	5088	QuickStores_Unlocker.exe	83
PID 5088 wrote to memory of 5024	5088	QuickStores_Unlocker.exe	83
PID 5088 wrote to memory of 5024	5088	QuickStores_Unlocker.exe	83

C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\is-C022T.tmp\QuickStores_Unlocker.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C022T.tmp\QuickStores_Unlocker.tmp" /SL5="$F0046,166493,54272,C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Installs/modifies Browser Helper Object
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-7T6HU.tmp\isxdl.dll

Filesize
58KB

MD5
792620390aae5305220283f2ce33ca68

SHA1
d9fee4cb3e2fa5e7d88b45662fd58b30aa9979f0

SHA256
21bc620515ebbdeb125d273c2d8db45577d05408ef624464af26afcfecfd201a

SHA512
470914116f40e4f7216c840ccbc706eb7953c10e62195c9b4d15e73f422625096df6c68edb33c25e2eec3305b4a1b159054f812c4a2307aeb3e49d35ae5f575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C022T.tmp\QuickStores_Unlocker.tmp

Filesize
683KB

MD5
ce4e0ff83ac2a3256fd5c220562294a1

SHA1
72429c43cc4ed0a184a9c7b208902005489ff49a

SHA256
130ec61d37b76fa26a4c7ebcf210467c5be3ae2ace7346546c65f093478bb06b

SHA512
b375a78ca9b8e30ba665d3934716e5d3ac5737d8cf05a562f59c8b142923e3a79f1c44b55e995bd43fd0a9056a122cbe332d33947f626fa2d5bfb9f2e1824e98

Download Submit
C:\Users\Admin\AppData\Roaming\QuickStoresToolbar\Interop.SHDocVw.dll

Filesize
124KB

MD5
2613734670b491be45410d496cef7fa8

SHA1
5b9ae74a23e76863c025fdede54c4ee3316074fb

SHA256
d84e2fcb321bb969eebca48d44787fffc8016f70660c4a58e46589dd22906bda

SHA512
69dc8ad210361bce4c28b15ad31cfccb916557fd60d366642a90a37e046ba4b023c1d41833a15534ab9413f046a5af350403e44c7e80fc40eba58724c3d14c04

Download Submit
C:\Users\Admin\AppData\Roaming\QuickStoresToolbar\QuickStoresToolbar.dll

Filesize
39KB

MD5
5494d46cbe14a5e0644cb219c9ac2fea

SHA1
d90389af5872217a258e4c5c07b7d064f50deea8

SHA256
fd3c814cd7a101ae6d82e044e9bdfc3bccd0f8b402d8f028aca53dbddc00976d

SHA512
0e3d40af922e8a2a1ed8f3a92080ff937dc6c700f1c28f34505c9710e55db0ff6f30f20ec4d36f9640fc344d799b97064a6f6b63d8da86851000c7c67e3e324f

Download Submit
C:\Users\Admin\AppData\Roaming\QuickStoresToolbar\Update.exe

Filesize
44KB

MD5
723130df7bbca7fc4bfb1f829abd13b3

SHA1
b0b2c0a3e9915ef419d5fa4f7d8c662445d78c99

SHA256
0e7bcd39f8255eaa3c9dc017586fc52f6912c0c34fabea3143beef7b211ec4a6

SHA512
037ecae3012c8e7ce6ced6f9faf10c2ebd46a517b0be4f59696f1758502741b43e7600a675c9260efee29210ab9e47b58e663ac54a434ce271c5082bed77d77c

Download Submit
memory/5024-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5024-27-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5024-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/5088-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5088-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5088-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads