Analysis

  • max time kernel
    134s
  • resource
    win7v191014
  • submitted
    09-01-2020 02:05

General

  • Target

    lhuft.exe

  • Sample

    200109-pvvhk66ab2

  • SHA256

    7f90029d8bb4d49d1001a65f4d139f1a2b630b420e5caf4315e5d3da43d603b2

Malware Config

Extracted

Family

qakbot

Campaign

1577715876

C2

80.14.209.42:2222

207.237.1.152:443

74.96.151.6:443

137.99.224.198:443

172.221.45.151:443

71.30.56.170:443

184.191.62.78:443

73.195.20.237:443

173.3.132.17:995

71.88.220.181:443

64.19.74.29:995

47.23.101.26:465

208.126.142.17:443

66.214.75.176:443

75.97.151.96:995

45.45.105.94:995

71.226.140.73:443

45.45.105.94:443

24.229.245.124:995

76.180.69.236:443

Signatures

  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Turn off Windows Defender SpyNet reporting 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities

Processes

  • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
    "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Loads dropped DLL
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
      C:\Users\Admin\AppData\Local\Temp\lhuft.exe /C
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1112
    • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: MapViewOfSection
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:744
      • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe /C
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        PID:552
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Adds Run entry to start application
        PID:1292
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn ttjzsxh /tr "\"C:\Users\Admin\AppData\Local\Temp\lhuft.exe\" /I ttjzsxh" /SC ONCE /Z /ST 23:20 /ET 23:32
      2⤵
        PID:1992
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A358B524-AEA2-4B26-97F9-8D99D0032A69} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
        C:\Users\Admin\AppData\Local\Temp\lhuft.exe /I ttjzsxh
        2⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Loads dropped DLL
        PID:1968
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          3⤵
          • Turn off Windows Defender SpyNet reporting
          PID:1124
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
          3⤵
          • Turn off Windows Defender SpyNet reporting
          PID:240
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
          3⤵
            PID:2036
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
            3⤵
              PID:2032
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              PID:1360
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              PID:1476
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              PID:332
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
              3⤵
              • Turn off Windows Defender SpyNet reporting
              PID:996
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Scmse" /d "0"
              3⤵
              • Windows security bypass
              PID:1760
            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              • Suspicious behavior: EnumeratesProcesses
              • Executes dropped EXE
              PID:1560
              • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
                C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe /C
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Executes dropped EXE
                PID:1704
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"
              3⤵
                PID:1716
                • C:\Windows\system32\PING.EXE
                  ping.exe -n 6 127.0.0.1
                  4⤵
                  • Runs ping.exe
                  PID:800
              • C:\Windows\system32\schtasks.exe
                "C:\Windows\system32\schtasks.exe" /DELETE /F /TN ttjzsxh
                3⤵
                  PID:280

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Defense Evasion

            Disabling Security Tools

            1
            T1089

            Modify Registry

            2
            T1112

            Discovery

            Remote System Discovery

            1
            T1018

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.dat
            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • C:\Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • \Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • \Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • \Users\Admin\AppData\Roaming\Microsoft\Scmse\mishpeor.exe
            • memory/552-6-0x00000000024A0000-0x00000000024B1000-memory.dmp
              Filesize

              68KB

            • memory/744-7-0x0000000002320000-0x00000000023B2000-memory.dmp
              Filesize

              584KB

            • memory/1112-0-0x0000000002330000-0x0000000002341000-memory.dmp
              Filesize

              68KB

            • memory/1704-12-0x0000000002440000-0x0000000002451000-memory.dmp
              Filesize

              68KB