Analysis
-
max time kernel
36s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:37
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe
-
Size
1.3MB
-
MD5
5753870132f5070fab94c532dbe5b104
-
SHA1
a8c3423205eeb6dd34acb984933aaf007ba77d51
-
SHA256
cc0e17c71ad98ad99e8cf36d2faa52b83a8137318932f6b6879dfb7d4431844c
-
SHA512
916d2cbd21128b70fa3ac1856737c0e976b24b202c991f08b9b109ee392102908bf6646441c763456e2ffbd2b793c6fdf3b0e027f9493ffe24ad46d4226f29c3
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exeSecuriteInfo.com.Troj.Qbot-FS.13218.2878.exepid process 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 1404 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 1404 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.execmd.exedescription pid process target process PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 1404 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 740 wrote to memory of 836 740 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE PID 836 wrote to memory of 1516 836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe