Analysis Overview
SHA256
c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166
Threat Level: Known bad
The file c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Qakbot/Qbot
Loads dropped DLL
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-21 06:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-21 06:46
Reported
2023-05-21 06:49
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
Qakbot/Qbot
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Unposfyg = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Oyvecpjgm = "0" | C:\Windows\system32\reg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Esguqpltrme | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\b857f64f = 192096032c70d5de13a78fd30d998bbfe03a70734e3741283c2201a0830e96c3346ce7a4a5fcb18063427b736cb1a844170aad8d67e8a1f0e17faa52c47d217a470b50def34e2338be1d7a23088c5ad9846a982824fb6a5f8db4269d0faebf6403b571aa39287fb1d8ab69b12a6a | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\ba16d633 = 93ba06443a51e10813ac4872f8b59d328780ae81c5d7a9f66ecebc2a7315 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\7fa2fedc = 5ff6e3ed297635111e562d441970849c058d671fd3c5f465ad7a0318b233c606af1a851303aa7f7d7a4b7710ee205ef03166caa83e371b92cd9414b418ca1c42cfbf2cb9c5f2d12b80c2c2a1d275ed9e3fd4eab31473adb7027fe96dd3d53427284c1c77a37d173073e0327b5260d0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\c71e99b9 = 2fb25fa888cd299bef54417ea2f683d4cf243c91 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\8dc82601 = f0ff3e930f50c5b4778b60f729cda7496fed74f0685392e9a8eebca2e567205e46a14f935383c62ed8fd1a9e2574464c18789dd612e28398a9a7faea229b19bc7814d48353a1c9ff6ba976f211eb21cc6799a53e6ea523c3b184ced76915bf7036916c875b9e7b79fc3c | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\2aab156 = e9532de64fcee3c6d0500a90b4799d093a3dec627d7e20d6f3b4f9 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\eb912a = 6ea8084f2ddc9799df9866947cd2bdc4b9884499569fb2e739dfc6e86c354fe9cd2c115130e77b277406fa87d8c941e4937044ec33c7b6434958c8de40204664aaaca4aeb2 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\f28149f7 = c548a20209dd20726eec6b51044478128a47262b1d664091fa5e | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Esguqpltrme\8dc82601 = f0ff29930f50f0e060832ab34aeb2b6a8cfa466b5501c4931cbc262eca2e30822695f89766181f998f652b789d094a4ca156e306b1b6902449074c8c416af7979335731e3bb98c63b852c4711875ccd11733bdcb80cbae449065996f646358675c991a5dea630c1e67c3e3d2c56cf663de7a767c5ddb453f0398f234cb2434 | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn owuecfzhc /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll\"" /SC ONCE /Z /ST 08:48 /ET 09:00
C:\Windows\system32\taskeng.exe
taskeng.exe {58803928-68FA-43D3-97A7-651191E75FD6} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll"
C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Unposfyg" /d "0"
C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Oyvecpjgm" /d "0"
Network
Files
memory/1508-54-0x0000000000980000-0x0000000000A9D000-memory.dmp
memory/1508-55-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/1508-57-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/1508-56-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/1508-59-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/1508-58-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/1508-60-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1508-61-0x0000000000310000-0x000000000039A000-memory.dmp
memory/1508-62-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/1508-63-0x0000000000980000-0x0000000000A9D000-memory.dmp
memory/560-64-0x0000000000110000-0x0000000000112000-memory.dmp
memory/1508-65-0x0000000002140000-0x00000000021CF000-memory.dmp
memory/560-68-0x0000000000080000-0x000000000010F000-memory.dmp
memory/560-70-0x0000000000080000-0x000000000010F000-memory.dmp
memory/560-71-0x0000000000080000-0x000000000010F000-memory.dmp
memory/560-72-0x0000000000080000-0x000000000010F000-memory.dmp
memory/560-73-0x0000000000080000-0x000000000010F000-memory.dmp
memory/560-75-0x0000000000080000-0x000000000010F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll
| MD5 | 8f24a209d47eae18b6f6b5b3b5806982 |
| SHA1 | c9dfcb0ea4efd3920c8f89d9ba0ad6ce0df3dbd6 |
| SHA256 | c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166 |
| SHA512 | 49d9adb4ad98e4dadaf092df7921c3b08cb93965ba9d486e7767a81689d501deb9cc187f5fff61beed29dd35daf9e94bfa7439e84dc28766f80acddeb807cc39 |
\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll
| MD5 | 8f24a209d47eae18b6f6b5b3b5806982 |
| SHA1 | c9dfcb0ea4efd3920c8f89d9ba0ad6ce0df3dbd6 |
| SHA256 | c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166 |
| SHA512 | 49d9adb4ad98e4dadaf092df7921c3b08cb93965ba9d486e7767a81689d501deb9cc187f5fff61beed29dd35daf9e94bfa7439e84dc28766f80acddeb807cc39 |
memory/1892-80-0x0000000000AC0000-0x0000000000BDD000-memory.dmp
memory/1892-81-0x0000000000180000-0x0000000000181000-memory.dmp
memory/1892-82-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1892-83-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1892-84-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1892-85-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1892-86-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1892-87-0x0000000000AC0000-0x0000000000BDD000-memory.dmp
memory/1892-88-0x0000000000FB0000-0x000000000103A000-memory.dmp
memory/1892-89-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1892-92-0x00000000010D0000-0x000000000115F000-memory.dmp
memory/1940-93-0x0000000000080000-0x000000000010F000-memory.dmp
memory/1940-96-0x0000000000080000-0x000000000010F000-memory.dmp
memory/1940-97-0x0000000000080000-0x000000000010F000-memory.dmp
memory/1940-98-0x0000000000080000-0x000000000010F000-memory.dmp
memory/1940-99-0x0000000000080000-0x000000000010F000-memory.dmp
memory/1940-101-0x0000000000080000-0x000000000010F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-21 06:46
Reported
2023-05-21 06:48
Platform
win10v2004-20230220-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Qakbot/Qbot
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4052 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4052 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4052 wrote to memory of 1696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7eb0facf612dbf76f5e3fe665fe0c4bfed48d94edc872952a065139720e3166.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1696 -ip 1696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 696
Network
| Country | Destination | Domain | Proto |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 13.89.178.26:443 | tcp | |
| NL | 95.101.78.106:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
memory/1696-133-0x0000000000B60000-0x0000000000B61000-memory.dmp
memory/1696-134-0x0000000002EA0000-0x0000000002F2F000-memory.dmp
memory/1696-135-0x0000000002EA0000-0x0000000002F2F000-memory.dmp
memory/1696-136-0x0000000002EA0000-0x0000000002F2F000-memory.dmp
memory/1696-137-0x0000000002D80000-0x0000000002E0A000-memory.dmp
memory/1696-138-0x0000000002EA0000-0x0000000002F2F000-memory.dmp
memory/1696-140-0x0000000000400000-0x000000000051D000-memory.dmp