Analysis
-
max time kernel
134s -
resource
win7v191014 -
submitted
09-01-2020 02:05
Task
task1
Sample
lhuft.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1577715876
80.14.209.42:2222
207.237.1.152:443
74.96.151.6:443
137.99.224.198:443
172.221.45.151:443
71.30.56.170:443
184.191.62.78:443
73.195.20.237:443
173.3.132.17:995
71.88.220.181:443
64.19.74.29:995
47.23.101.26:465
208.126.142.17:443
66.214.75.176:443
75.97.151.96:995
45.45.105.94:995
71.226.140.73:443
45.45.105.94:443
24.229.245.124:995
76.180.69.236:443
138.122.5.214:443
174.101.35.214:443
206.51.202.106:50002
162.244.224.166:443
24.32.119.146:443
130.93.11.211:443
73.133.46.105:995
98.118.162.34:443
12.5.37.3:443
71.77.231.251:443
172.242.9.118:995
75.165.141.78:443
12.5.37.3:995
108.227.161.27:443
162.244.225.30:443
100.1.47.98:443
24.229.150.54:995
72.187.35.131:443
46.248.61.176:995
68.49.120.179:443
24.191.227.91:2222
98.252.150.180:443
184.167.2.251:2222
67.214.21.207:443
47.180.66.10:443
72.190.101.70:443
70.124.29.226:443
100.38.164.182:443
100.40.48.96:443
47.182.89.157:443
75.110.250.89:443
67.10.18.112:993
173.73.29.192:443
72.142.106.198:465
181.126.80.118:443
173.172.205.216:443
68.174.15.223:443
72.16.212.107:465
75.131.72.82:443
207.179.194.91:443
74.194.4.181:443
35.134.202.234:443
172.78.87.180:443
23.240.185.215:443
184.74.101.234:995
66.222.88.126:995
100.4.185.8:443
173.22.120.11:2222
104.3.91.20:995
73.226.220.56:443
75.90.230.120:995
75.131.72.82:995
24.189.222.222:2222
67.175.106.199:443
64.250.55.239:443
2.50.157.233:443
107.5.252.194:443
98.237.120.65:995
66.171.8.157:443
96.241.184.247:443
71.220.197.129:443
72.209.191.27:443
100.38.123.22:443
104.152.16.45:995
96.236.196.34:443
67.141.21.18:443
200.84.4.84:2222
104.191.66.184:443
96.227.138.53:443
64.203.122.88:995
108.39.114.84:443
73.239.11.160:443
47.185.43.243:443
108.190.148.31:2222
108.49.221.180:443
138.122.5.214:443
81.147.42.129:2222
47.138.5.199:443
206.255.41.196:443
71.233.73.222:995
71.80.227.238:443
201.152.128.154:995
86.140.13.103:2222
97.96.51.117:443
107.12.131.249:443
74.71.216.1:443
24.202.42.48:2222
67.246.16.250:995
75.70.218.193:443
86.169.244.41:2222
69.207.20.233:443
32.208.1.239:443
74.33.69.22:443
75.165.181.122:443
205.250.79.62:443
76.23.204.29:443
47.227.198.155:443
72.29.181.77:2078
47.146.169.85:443
176.205.63.149:995
72.28.255.159:443
184.180.157.203:2222
174.48.72.160:443
70.177.25.99:443
46.153.47.127:443
75.121.10.204:443
184.4.192.200:443
66.90.149.186:443
68.1.115.106:443
89.242.145.107:2222
74.105.139.160:443
50.78.93.74:995
2.190.199.153:443
207.178.109.161:443
216.152.7.12:443
166.62.180.194:2078
47.153.115.154:995
162.248.148.114:443
181.197.195.138:995
138.122.5.214:2222
73.84.179.163:0
117.204.232.187:995
78.13.212.163:2222
96.242.232.231:443
75.142.59.167:443
173.79.220.156:443
24.27.82.216:2222
62.103.70.217:995
98.171.66.125:443
72.228.3.116:443
Signatures
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
lhuft.exemishpeor.exetaskeng.exelhuft.exemishpeor.exedescription pid process target process PID 1696 wrote to memory of 1112 1696 lhuft.exe lhuft.exe PID 1696 wrote to memory of 744 1696 lhuft.exe mishpeor.exe PID 1696 wrote to memory of 1992 1696 lhuft.exe schtasks.exe PID 744 wrote to memory of 552 744 mishpeor.exe mishpeor.exe PID 744 wrote to memory of 1292 744 mishpeor.exe explorer.exe PID 1688 wrote to memory of 1968 1688 taskeng.exe lhuft.exe PID 1968 wrote to memory of 1124 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 240 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 2036 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 2032 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 1360 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 1476 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 332 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 996 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 1760 1968 lhuft.exe reg.exe PID 1968 wrote to memory of 1560 1968 lhuft.exe mishpeor.exe PID 1560 wrote to memory of 1704 1560 mishpeor.exe mishpeor.exe PID 1968 wrote to memory of 1716 1968 lhuft.exe cmd.exe PID 1968 wrote to memory of 280 1968 lhuft.exe schtasks.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
mishpeor.exepid process 744 mishpeor.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
lhuft.exelhuft.exemishpeor.exemishpeor.exeexplorer.exelhuft.exemishpeor.exemishpeor.exepid process 1696 lhuft.exe 1112 lhuft.exe 744 mishpeor.exe 552 mishpeor.exe 1292 explorer.exe 1968 lhuft.exe 1560 mishpeor.exe 1704 mishpeor.exe -
Loads dropped DLL 2 IoCs
Processes:
lhuft.exelhuft.exepid process 1696 lhuft.exe 1968 lhuft.exe -
Executes dropped EXE 4 IoCs
Processes:
mishpeor.exemishpeor.exemishpeor.exemishpeor.exepid process 744 mishpeor.exe 552 mishpeor.exe 1560 mishpeor.exe 1704 mishpeor.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Scmse = "0" reg.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\qrdcimxde = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Scmse\\mishpeor.exe\"" explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lhuft.exe"C:\Users\Admin\AppData\Local\Temp\lhuft.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\lhuft.exeC:\Users\Admin\AppData\Local\Temp\lhuft.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exeC:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exeC:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ttjzsxh /tr "\"C:\Users\Admin\AppData\Local\Temp\lhuft.exe\" /I ttjzsxh" /SC ONCE /Z /ST 23:20 /ET 23:322⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {A358B524-AEA2-4B26-97F9-8D99D0032A69} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lhuft.exeC:\Users\Admin\AppData\Local\Temp\lhuft.exe /I ttjzsxh2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Scmse" /d "0"3⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exeC:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exeC:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN ttjzsxh3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
-
memory/552-6-0x00000000024A0000-0x00000000024B1000-memory.dmpFilesize
68KB
-
memory/744-7-0x0000000002320000-0x00000000023B2000-memory.dmpFilesize
584KB
-
memory/1112-0-0x0000000002330000-0x0000000002341000-memory.dmpFilesize
68KB
-
memory/1704-12-0x0000000002440000-0x0000000002451000-memory.dmpFilesize
68KB