751e5ac7adada8cfff8723134e59fccfe02b1f948a43d569b698104c3b03a5e7

General

Target

2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
Size

1.1MB
MD5

10e73ff1d1437e250642fb023a42422d
SHA1

a4b4cdd5902034489ced94e245a436e06703b3b1
SHA256

751e5ac7adada8cfff8723134e59fccfe02b1f948a43d569b698104c3b03a5e7
SHA512

a6b5bef373d3e57ec9cc2b7b4f2db70e25d70a30711c57b8c212ae7377c64d0c748b1ffd97b357d7751c04568634c29c246d4d7c0098986d649ae839e6768c80

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1412 PING.EXE

pid	process
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe

pid	process
532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
1372	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
1372	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.execmd.exe

description	pid	process	target process
PID 532 wrote to memory of 1372	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
PID 532 wrote to memory of 1372	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
PID 532 wrote to memory of 1372	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
PID 532 wrote to memory of 1372	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
PID 532 wrote to memory of 1216	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	cmd.exe
PID 532 wrote to memory of 1216	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	cmd.exe
PID 532 wrote to memory of 1216	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	cmd.exe
PID 532 wrote to memory of 1216	532	2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe	cmd.exe
PID 1216 wrote to memory of 1412	1216	cmd.exe	PING.EXE
PID 1216 wrote to memory of 1412	1216	cmd.exe	PING.EXE
PID 1216 wrote to memory of 1412	1216	cmd.exe	PING.EXE
PID 1216 wrote to memory of 1412	1216	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe /C
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-2-0x0000000000000000-mapping.dmp

Download
memory/1372-0-0x0000000000000000-mapping.dmp

Download
memory/1372-1-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download
memory/1412-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing