Analysis
-
max time kernel
94s -
max time network
97s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:47
Behavioral task
behavioral1
Sample
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
-
Size
1.1MB
-
MD5
10e73ff1d1437e250642fb023a42422d
-
SHA1
a4b4cdd5902034489ced94e245a436e06703b3b1
-
SHA256
751e5ac7adada8cfff8723134e59fccfe02b1f948a43d569b698104c3b03a5e7
-
SHA512
a6b5bef373d3e57ec9cc2b7b4f2db70e25d70a30711c57b8c212ae7377c64d0c748b1ffd97b357d7751c04568634c29c246d4d7c0098986d649ae839e6768c80
Score
1/10
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exepid process 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 1372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 1372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.execmd.exedescription pid process target process PID 532 wrote to memory of 1372 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 532 wrote to memory of 1372 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 532 wrote to memory of 1372 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 532 wrote to memory of 1372 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 532 wrote to memory of 1216 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 532 wrote to memory of 1216 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 532 wrote to memory of 1216 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 532 wrote to memory of 1216 532 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 1216 wrote to memory of 1412 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1412 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1412 1216 cmd.exe PING.EXE PID 1216 wrote to memory of 1412 1216 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exeC:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe