Analysis
-
max time kernel
34s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:47
Behavioral task
behavioral1
Sample
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe
-
Size
1.1MB
-
MD5
10e73ff1d1437e250642fb023a42422d
-
SHA1
a4b4cdd5902034489ced94e245a436e06703b3b1
-
SHA256
751e5ac7adada8cfff8723134e59fccfe02b1f948a43d569b698104c3b03a5e7
-
SHA512
a6b5bef373d3e57ec9cc2b7b4f2db70e25d70a30711c57b8c212ae7377c64d0c748b1ffd97b357d7751c04568634c29c246d4d7c0098986d649ae839e6768c80
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exepid process 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 1928 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 1928 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 1928 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 1928 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.execmd.exedescription pid process target process PID 3372 wrote to memory of 1928 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 3372 wrote to memory of 1928 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 3372 wrote to memory of 1928 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe PID 3372 wrote to memory of 1336 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 3372 wrote to memory of 1336 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 3372 wrote to memory of 1336 3372 2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe cmd.exe PID 1336 wrote to memory of 2408 1336 cmd.exe PING.EXE PID 1336 wrote to memory of 2408 1336 cmd.exe PING.EXE PID 1336 wrote to memory of 2408 1336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exeC:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\2020-06-08-follow-up-EXE-for-Qakbot-spx135.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe