lhuft.exe

General
Target

lhuft.exe

Filesize

N/A

Completed

09-01-2020 22:21

Score
10 /10
SHA256

7f90029d8bb4d49d1001a65f4d139f1a2b630b420e5caf4315e5d3da43d603b2

Malware Config

Extracted

Family qakbot
Campaign 1577715876
C2

80.14.209.42:2222

207.237.1.152:443

74.96.151.6:443

137.99.224.198:443

172.221.45.151:443

71.30.56.170:443

184.191.62.78:443

73.195.20.237:443

173.3.132.17:995

71.88.220.181:443

64.19.74.29:995

47.23.101.26:465

208.126.142.17:443

66.214.75.176:443

75.97.151.96:995

45.45.105.94:995

71.226.140.73:443

45.45.105.94:443

24.229.245.124:995

76.180.69.236:443

138.122.5.214:443

174.101.35.214:443

206.51.202.106:50002

162.244.224.166:443

24.32.119.146:443

130.93.11.211:443

73.133.46.105:995

98.118.162.34:443

12.5.37.3:443

71.77.231.251:443

172.242.9.118:995

75.165.141.78:443

12.5.37.3:995

108.227.161.27:443

162.244.225.30:443

100.1.47.98:443

24.229.150.54:995

72.187.35.131:443

46.248.61.176:995

68.49.120.179:443

24.191.227.91:2222

98.252.150.180:443

184.167.2.251:2222

67.214.21.207:443

47.180.66.10:443

72.190.101.70:443

70.124.29.226:443

100.38.164.182:443

100.40.48.96:443

47.182.89.157:443

Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities

  • Suspicious behavior: EnumeratesProcesses
    lhuft.exelhuft.exeidxcw.exeidxcw.exeexplorer.exelhuft.exeidxcw.exeidxcw.exe

    Reported IOCs

    pidprocess
    4948lhuft.exe
    5000lhuft.exe
    1008idxcw.exe
    984idxcw.exe
    2616explorer.exe
    4504lhuft.exe
    4276idxcw.exe
    3968idxcw.exe
  • Executes dropped EXE
    idxcw.exeidxcw.exeidxcw.exeidxcw.exe

    Reported IOCs

    pidprocess
    1008idxcw.exe
    984idxcw.exe
    4276idxcw.exe
    3968idxcw.exe
  • Adds Run entry to start application
    explorer.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmfwahas = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Tiepdci\\idxcw.exe\""explorer.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    4176PING.EXE
  • Checks SCSI registry key(s)
    lhuft.exeidxcw.exeidxcw.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesclhuft.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesclhuft.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Serviceidxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Serviceidxcw.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000lhuft.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDescidxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDescidxcw.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000idxcw.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000idxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Serviceidxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Servicelhuft.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000idxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDescidxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Serviceidxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Servicelhuft.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000lhuft.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000idxcw.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDescidxcw.exe
  • Turn off Windows Defender SpyNet reporting
    reg.exereg.exereg.exereg.exereg.exereg.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"reg.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"reg.exe
  • Suspicious use of WriteProcessMemory
    lhuft.exeidxcw.exelhuft.exeidxcw.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4948 wrote to memory of 50004948lhuft.exelhuft.exe
    PID 4948 wrote to memory of 10084948lhuft.exeidxcw.exe
    PID 4948 wrote to memory of 18164948lhuft.exeschtasks.exe
    PID 1008 wrote to memory of 9841008idxcw.exeidxcw.exe
    PID 1008 wrote to memory of 26161008idxcw.exeexplorer.exe
    PID 4504 wrote to memory of 45604504lhuft.exereg.exe
    PID 4504 wrote to memory of 43284504lhuft.exereg.exe
    PID 4504 wrote to memory of 46804504lhuft.exereg.exe
    PID 4504 wrote to memory of 46284504lhuft.exereg.exe
    PID 4504 wrote to memory of 47644504lhuft.exereg.exe
    PID 4504 wrote to memory of 47164504lhuft.exereg.exe
    PID 4504 wrote to memory of 44204504lhuft.exereg.exe
    PID 4504 wrote to memory of 38804504lhuft.exereg.exe
    PID 4504 wrote to memory of 42964504lhuft.exereg.exe
    PID 4504 wrote to memory of 42764504lhuft.exeidxcw.exe
    PID 4504 wrote to memory of 40364504lhuft.execmd.exe
    PID 4504 wrote to memory of 40204504lhuft.exeschtasks.exe
    PID 4276 wrote to memory of 39684276idxcw.exeidxcw.exe
  • Suspicious behavior: MapViewOfSection
    idxcw.exe

    Reported IOCs

    pidprocess
    1008idxcw.exe
  • Windows security bypass
    reg.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci = "0"reg.exe
Processes 21
  • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
    "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
      C:\Users\Admin\AppData\Local\Temp\lhuft.exe /C
      Suspicious behavior: EnumeratesProcesses
      Checks SCSI registry key(s)
      PID:5000
    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      Suspicious behavior: MapViewOfSection
      PID:1008
      • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe /C
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Checks SCSI registry key(s)
        PID:984
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        Suspicious behavior: EnumeratesProcesses
        Adds Run entry to start application
        PID:2616
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gojzccx /tr "\"C:\Users\Admin\AppData\Local\Temp\lhuft.exe\" /I gojzccx" /SC ONCE /Z /ST 23:20 /ET 23:32
      PID:1816
  • C:\Users\Admin\AppData\Local\Temp\lhuft.exe
    C:\Users\Admin\AppData\Local\Temp\lhuft.exe /I gojzccx
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      Turn off Windows Defender SpyNet reporting
      PID:4560
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      Turn off Windows Defender SpyNet reporting
      PID:4328
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      PID:4680
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      PID:4628
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      Turn off Windows Defender SpyNet reporting
      PID:4764
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      Turn off Windows Defender SpyNet reporting
      PID:4716
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"
      Turn off Windows Defender SpyNet reporting
      PID:4420
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"
      Turn off Windows Defender SpyNet reporting
      PID:3880
    • C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci" /d "0"
      Windows security bypass
      PID:4296
    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe /C
        Suspicious behavior: EnumeratesProcesses
        Executes dropped EXE
        Checks SCSI registry key(s)
        PID:3968
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"
      PID:4036
      • C:\Windows\system32\PING.EXE
        ping.exe -n 6 127.0.0.1
        Runs ping.exe
        PID:4176
    • C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /DELETE /F /TN gojzccx
      PID:4020
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.dat

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe

                    • memory/984-4-0x0000000002B70000-0x0000000002B71000-memory.dmp

                    • memory/1008-5-0x0000000002AF0000-0x0000000002B82000-memory.dmp

                    • memory/3968-9-0x0000000002830000-0x0000000002831000-memory.dmp

                    • memory/5000-0-0x0000000002B50000-0x0000000002B51000-memory.dmp