Analysis
-
max time kernel
29s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:37
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe
-
Size
1.3MB
-
MD5
1f16d85a332e906bdb52798a693e20b4
-
SHA1
47ad555dffa907f0e916c2bd689c2fb75ae5874a
-
SHA256
03d43c49387d3defe1712109bbacd0fa9d670c5a59454f07e7c1837e52d7df6c
-
SHA512
9122068115338ddeb102efa7ece607136fdb25fa7ce3c53eb6bb457ea8d9fba49d23584e713f3d6f65df00d1cf710540993b6d66593954b80e0ece6a9a52b841
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exeSecuriteInfo.com.Troj.Qbot-FS.29402.25291.exepid process 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe 2872 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe 2872 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe 2872 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe 2872 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.29402.25291.execmd.exedescription pid process target process PID 4040 wrote to memory of 2872 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe PID 4040 wrote to memory of 2872 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe PID 4040 wrote to memory of 2872 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe PID 4040 wrote to memory of 732 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe cmd.exe PID 4040 wrote to memory of 732 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe cmd.exe PID 4040 wrote to memory of 732 4040 SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe cmd.exe PID 732 wrote to memory of 2808 732 cmd.exe PING.EXE PID 732 wrote to memory of 2808 732 cmd.exe PING.EXE PID 732 wrote to memory of 2808 732 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.29402.25291.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
PID:2808