lhuft.exe

General
Target

lhuft.exe

Filesize

N/A

Completed

09-01-2020 22:21

Score
10 /10
SHA256

7f90029d8bb4d49d1001a65f4d139f1a2b630b420e5caf4315e5d3da43d603b2

Malware Config

Extracted

Family qakbot
Campaign 1577715876
C2

80.14.209.42:2222

207.237.1.152:443

74.96.151.6:443

137.99.224.198:443

172.221.45.151:443

71.30.56.170:443

184.191.62.78:443

73.195.20.237:443

173.3.132.17:995

71.88.220.181:443

64.19.74.29:995

47.23.101.26:465

208.126.142.17:443

66.214.75.176:443

75.97.151.96:995

45.45.105.94:995

71.226.140.73:443

45.45.105.94:443

24.229.245.124:995

76.180.69.236:443

138.122.5.214:443

174.101.35.214:443

206.51.202.106:50002

162.244.224.166:443

24.32.119.146:443

130.93.11.211:443

73.133.46.105:995

98.118.162.34:443

12.5.37.3:443

71.77.231.251:443

172.242.9.118:995

75.165.141.78:443

12.5.37.3:995

108.227.161.27:443

162.244.225.30:443

100.1.47.98:443

24.229.150.54:995

72.187.35.131:443

46.248.61.176:995

68.49.120.179:443

24.191.227.91:2222

98.252.150.180:443

184.167.2.251:2222

67.214.21.207:443

47.180.66.10:443

72.190.101.70:443

70.124.29.226:443

100.38.164.182:443

100.40.48.96:443

47.182.89.157:443

Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Suspicious use of WriteProcessMemory
    lhuft.exemishpeor.exetaskeng.exelhuft.exemishpeor.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1696 wrote to memory of 11121696lhuft.exelhuft.exe
    PID 1696 wrote to memory of 7441696lhuft.exemishpeor.exe
    PID 1696 wrote to memory of 19921696lhuft.exeschtasks.exe
    PID 744 wrote to memory of 552744mishpeor.exemishpeor.exe
    PID 744 wrote to memory of 1292744mishpeor.exeexplorer.exe
    PID 1688 wrote to memory of 19681688taskeng.exelhuft.exe
    PID 1968 wrote to memory of 11241968lhuft.exereg.exe
    PID 1968 wrote to memory of 2401968lhuft.exereg.exe
    PID 1968 wrote to memory of 20361968lhuft.exereg.exe
    PID 1968 wrote to memory of 20321968lhuft.exereg.exe
    PID 1968 wrote to memory of 13601968lhuft.exereg.exe
    PID 1968 wrote to memory of 14761968lhuft.exereg.exe
    PID 1968 wrote to memory of 3321968lhuft.exereg.exe
    PID 1968 wrote to memory of 9961968lhuft.exereg.exe
    PID 1968 wrote to memory of 17601968lhuft.exereg.exe
    PID 1968 wrote to memory of 15601968lhuft.exemishpeor.exe
    PID 1560 wrote to memory of 17041560mishpeor.exemishpeor.exe
    PID 1968 wrote to memory of 17161968lhuft.execmd.exe
    PID 1968 wrote to memory of 2801968lhuft.exeschtasks.exe
  • Suspicious behavior: MapViewOfSection
    mishpeor.exe

    Reported IOCs

    pidprocess
    744mishpeor.exe
  • Turn off Windows Defender SpyNet reporting
    reg.exereg.exereg.exereg.exereg.exereg.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"reg.exe
  • Suspicious behavior: EnumeratesProcesses
    lhuft.exelhuft.exemishpeor.exemishpeor.exeexplorer.exelhuft.exemishpeor.exemishpeor.exe

    Reported IOCs

    pidprocess
    1696lhuft.exe
    1112lhuft.exe
    744mishpeor.exe
    552mishpeor.exe
    1292explorer.exe
    1968lhuft.exe
    1560mishpeor.exe
    1704mishpeor.exe
  • Loads dropped DLL
    lhuft.exelhuft.exe

    Reported IOCs

    pidprocess
    1696lhuft.exe
    1968lhuft.exe
  • Executes dropped EXE
    mishpeor.exemishpeor.exemishpeor.exemishpeor.exe

    Reported IOCs

    pidprocess
    744mishpeor.exe
    552mishpeor.exe
    1560mishpeor.exe
    1704mishpeor.exe
  • Windows security bypass
    reg.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Scmse = "0"reg.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    800PING.EXE
  • Adds Run entry to start application
    explorer.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Run\qrdcimxde = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Scmse\\mishpeor.exe\""explorer.exe
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities

Processes 22
  • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
    "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"
    Suspicious use of WriteProcessMemory
    Suspicious behavior: EnumeratesProcesses
    Loads dropped DLL
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
      C:\Users\Admin\AppData\Local\Temp\lhuft.exe /C
      Suspicious behavior: EnumeratesProcesses
      PID:1112
    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
      Suspicious use of WriteProcessMemory
      Suspicious behavior: MapViewOfSection
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      PID:744
      • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe /C
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        PID:552
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious behavior: EnumeratesProcesses
        Adds Run entry to start application
        PID:1292
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ttjzsxh /tr "\"C:\Users\Admin\AppData\Local\Temp\lhuft.exe\" /I ttjzsxh" /SC ONCE /Z /ST 23:20 /ET 23:32
      PID:1992
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A358B524-AEA2-4B26-97F9-8D99D0032A69} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
      C:\Users\Admin\AppData\Local\Temp\lhuft.exe /I ttjzsxh
      Suspicious use of WriteProcessMemory
      Suspicious behavior: EnumeratesProcesses
      Loads dropped DLL
      PID:1968
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        Turn off Windows Defender SpyNet reporting
        PID:1124
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        Turn off Windows Defender SpyNet reporting
        PID:240
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        PID:2036
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        PID:2032
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        Turn off Windows Defender SpyNet reporting
        PID:1360
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        Turn off Windows Defender SpyNet reporting
        PID:1476
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
        Turn off Windows Defender SpyNet reporting
        PID:332
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
        Turn off Windows Defender SpyNet reporting
        PID:996
      • C:\Windows\system32\reg.exe
        C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Scmse" /d "0"
        Windows security bypass
        PID:1760
      • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
        Suspicious use of WriteProcessMemory
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        PID:1560
        • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe /C
          Suspicious behavior: EnumeratesProcesses
          Executes dropped EXE
          PID:1704
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"
        PID:1716
        • C:\Windows\system32\PING.EXE
          ping.exe -n 6 127.0.0.1
          Runs ping.exe
          PID:800
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /DELETE /F /TN ttjzsxh
        PID:280
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.dat

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • \Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe

                    • memory/552-6-0x00000000024A0000-0x00000000024B1000-memory.dmp

                    • memory/744-7-0x0000000002320000-0x00000000023B2000-memory.dmp

                    • memory/1112-0-0x0000000002330000-0x0000000002341000-memory.dmp

                    • memory/1704-12-0x0000000002440000-0x0000000002451000-memory.dmp