Analysis Overview
SHA256
7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f
Threat Level: Known bad
The file 19.gif.exe was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Executes dropped EXE
Loads dropped DLL
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-07 04:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-07 04:43
Reported
2021-05-07 04:45
Platform
win7v20210410
Max time kernel
134s
Max time network
124s
Command Line
Signatures
Qakbot/Qbot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
"C:\Users\Admin\AppData\Local\Temp\19.gif.exe"
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /C
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ytrdfgqpoc /tr "\"C:\Users\Admin\AppData\Local\Temp\19.gif.exe\" /I ytrdfgqpoc" /SC ONCE /Z /ST 04:49 /ET 05:01
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe /C
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {1FDE8F07-C4DF-4444-9147-2BC9B00B8F40} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /I ytrdfgqpoc
Network
Files
memory/1676-59-0x0000000075971000-0x0000000075973000-memory.dmp
memory/1676-60-0x0000000000220000-0x0000000000254000-memory.dmp
memory/1676-61-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1280-62-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/1200-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/1584-70-0x0000000000000000-mapping.dmp
memory/1200-73-0x0000000000400000-0x0000000000445000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/972-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/740-80-0x0000000000000000-mapping.dmp
memory/740-82-0x0000000074C71000-0x0000000074C73000-memory.dmp
memory/740-83-0x0000000000370000-0x00000000003A7000-memory.dmp
memory/740-84-0x00000000004B0000-0x00000000004DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Msieeyoqllae\ghjboux.dat
| MD5 | a8282ff7add57c5bd9bde6958b6df91f |
| SHA1 | 16e7a6db1385e74c95903aed5f75c8cd314c1658 |
| SHA256 | 7aede93365e1b4bd93fc2b81eb51551fce60fd322b557ce933ad8fd0e3044517 |
| SHA512 | bfff6891053d5f3440df201e7104a9f90dbca4af408f0014cf695190448d9fdcdc0a72570e7a306ed49ca9c1e82c302bcd46ff62edaa50f4b8f4a34a4db1fbca |
memory/1456-86-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-07 04:43
Reported
2021-05-07 04:45
Platform
win10v20210410
Max time kernel
139s
Max time network
134s
Command Line
Signatures
Qakbot/Qbot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service | C:\Users\Admin\AppData\Local\Temp\19.gif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
"C:\Users\Admin\AppData\Local\Temp\19.gif.exe"
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /C
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn djlxyyuwlz /tr "\"C:\Users\Admin\AppData\Local\Temp\19.gif.exe\" /I djlxyyuwlz" /SC ONCE /Z /ST 04:49 /ET 05:01
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe /C
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe
C:\Users\Admin\AppData\Local\Temp\19.gif.exe /I djlxyyuwlz
Network
Files
memory/4048-114-0x0000000002060000-0x0000000002094000-memory.dmp
memory/4048-115-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2864-116-0x0000000000000000-mapping.dmp
memory/3520-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/2024-122-0x0000000000000000-mapping.dmp
memory/3228-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.exe
| MD5 | 336aaae4fa380c66834c8665172cf179 |
| SHA1 | c0a93f789ce3bb1471cce677573f05143192cc90 |
| SHA256 | 7803a0cfd5572aa9d9e3d60b071a26497823bff93f4f656f9d7fcfea561a097f |
| SHA512 | 1f7544f67da48df9f22f856d084f2adb5485639f6bd92fe0513e0f08efe6c95760dd549a8208560753a73e7db04424d5694beff171bf7946a4643fd34c225908 |
memory/3996-129-0x0000000000000000-mapping.dmp
memory/3996-131-0x0000000000930000-0x000000000095E000-memory.dmp
memory/3996-130-0x0000000000640000-0x0000000000677000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Mruylot\wgmteiuw.dat
| MD5 | c2b793d035ebe37eb2d5e4f4a0f06b91 |
| SHA1 | ec1fe6ed1ff58b436e23bb713a65b6f30a49d285 |
| SHA256 | b9c2ca7630354e8bc4c8dfaef963f7be6bfb3f1af424bff338886b7bcfd01502 |
| SHA512 | a8004e0c0b9601696837a0856d7e9bdf0c401188f7fdee6ca41c52c821d56ffc93f0309af4dcbb3a39cb62e6599e63edca698b27432748ac9c1fa446720942ab |