Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:40
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe
-
Size
1.2MB
-
MD5
9d5d00bb183e7e2690c3adf041565b02
-
SHA1
5ccf4e02ed3b4e2d4a902ab15f63e33ecb49801f
-
SHA256
915c3441f6637976dfe4c25a115911d8ec6cea3c0eb8f6d4c89daf8a33be58e2
-
SHA512
58a94d493d022aa4562c03bac76c2e9b2167dba321ad5916bcd4a14c42d59bf2a8ccf0359eb2296479ce71019e2a75bd84866f980aea88d3a256e0384e3af0bd
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exeSecuriteInfo.com.Troj.Qbot-FS.11041.3342.exepid process 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe 204 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe 204 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe 204 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe 204 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.11041.3342.execmd.exedescription pid process target process PID 640 wrote to memory of 204 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe PID 640 wrote to memory of 204 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe PID 640 wrote to memory of 204 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe PID 640 wrote to memory of 3656 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe cmd.exe PID 640 wrote to memory of 3656 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe cmd.exe PID 640 wrote to memory of 3656 640 SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe cmd.exe PID 3656 wrote to memory of 4084 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 4084 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 4084 3656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.11041.3342.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe