Analysis
-
max time kernel
36s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:37
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe
-
Size
1.3MB
-
MD5
5753870132f5070fab94c532dbe5b104
-
SHA1
a8c3423205eeb6dd34acb984933aaf007ba77d51
-
SHA256
cc0e17c71ad98ad99e8cf36d2faa52b83a8137318932f6b6879dfb7d4431844c
-
SHA512
916d2cbd21128b70fa3ac1856737c0e976b24b202c991f08b9b109ee392102908bf6646441c763456e2ffbd2b793c6fdf3b0e027f9493ffe24ad46d4226f29c3
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exeSecuriteInfo.com.Troj.Qbot-FS.13218.2878.exepid process 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 640 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 640 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 640 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe 640 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Troj.Qbot-FS.13218.2878.execmd.exedescription pid process target process PID 656 wrote to memory of 640 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 656 wrote to memory of 640 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 656 wrote to memory of 640 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe PID 656 wrote to memory of 1300 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 656 wrote to memory of 1300 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 656 wrote to memory of 1300 656 SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe cmd.exe PID 1300 wrote to memory of 1976 1300 cmd.exe PING.EXE PID 1300 wrote to memory of 1976 1300 cmd.exe PING.EXE PID 1300 wrote to memory of 1976 1300 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Qbot-FS.13218.2878.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe