Analysis Overview
SHA256
7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f
Threat Level: Known bad
The file 19.gif.exe was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Executes dropped EXE
Loads dropped DLL
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-07 05:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-07 05:02
Reported
2021-05-07 05:04
Platform
win7v20210408
Max time kernel
95s
Max time network
11s
Command Line
Signatures
Qakbot/Qbot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
"C:\Users\Admin\AppData\Local\Temp\19.gif.exe"
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /C
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn pvuvyinrrw /tr "\"C:\Users\Admin\AppData\Local\Temp\19.gif.exe\" /I pvuvyinrrw" /SC ONCE /Z /ST 07:00 /ET 07:12
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe /C
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {D110FF84-A707-4D56-98A3-86EA06777784} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /I pvuvyinrrw
Network
Files
memory/1608-60-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1608-61-0x0000000000220000-0x0000000000254000-memory.dmp
memory/1608-62-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1712-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/1460-69-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/1232-71-0x0000000000000000-mapping.dmp
memory/1460-74-0x0000000000400000-0x0000000000445000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/1624-76-0x0000000000000000-mapping.dmp
memory/1228-81-0x0000000000000000-mapping.dmp
memory/1228-83-0x0000000074481000-0x0000000074483000-memory.dmp
memory/1228-84-0x00000000000E0000-0x0000000000117000-memory.dmp
memory/1228-85-0x0000000000150000-0x000000000017E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Llpxlgaemiae\wporiwa.dat
| MD5 | ae212c4c08c7d983c4f29f995f574310 |
| SHA1 | c7529b6ffffd17f35b32e2b662f80dc20efd9bc1 |
| SHA256 | 784e033c392993ca556bbee0b4536f6504000e697700b8328ae1bca4809c21a9 |
| SHA512 | b6da0d10b4a3900ea6c9a570aa97b32370e25e00751afc3dd645b5303e42bd1775d9ec5b8e90c6586d7d22e3674ec9fee0a3c69e9308477c704c47d7660add95 |
memory/112-87-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-07 05:02
Reported
2021-05-07 05:04
Platform
win10v20210410
Max time kernel
149s
Max time network
110s
Command Line
Signatures
Qakbot/Qbot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
"C:\Users\Admin\AppData\Local\Temp\19.gif.exe"
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /C
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mikexek /tr "\"C:\Users\Admin\AppData\Local\Temp\19.gif.exe\" /I mikexek" /SC ONCE /Z /ST 05:08 /ET 05:20
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe /C
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /I mikexek
Network
Files
memory/3540-114-0x0000000002050000-0x0000000002084000-memory.dmp
memory/3540-115-0x0000000000400000-0x0000000000445000-memory.dmp
memory/200-116-0x0000000000000000-mapping.dmp
memory/200-117-0x0000000000450000-0x00000000004FE000-memory.dmp
memory/1548-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/2352-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/2720-125-0x0000000000000000-mapping.dmp
memory/2720-127-0x00000000005A0000-0x00000000006EA000-memory.dmp
memory/3464-129-0x0000000000000000-mapping.dmp
memory/3464-130-0x0000000000B00000-0x0000000000B37000-memory.dmp
memory/3464-131-0x0000000000ED0000-0x0000000000FA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Vuyrcczneeuy\aeote.dat
| MD5 | c251ea15e5d97558f20d84123343c805 |
| SHA1 | 86870a6e40465b74e991c3fc919621d7f388d0e5 |
| SHA256 | 5058d70ccd27706290ecd7b6b63a3c12396857fa57b7a46ae4b75a46f19841b5 |
| SHA512 | 1afc4ebfbc2c4332c2e279dde75808600f59546125a99abe7ec36b0c75a05002729eb5a57a8972bd0a9588f98e1114a5e662528220f2409491210366f799c916 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |