Analysis
-
max time kernel
138s -
resource
win10v191014 -
submitted
09-01-2020 02:05
Task
task1
Sample
lhuft.exe
Resource
win7v191014
General
Malware Config
Extracted
qakbot
1577715876
80.14.209.42:2222
207.237.1.152:443
74.96.151.6:443
137.99.224.198:443
172.221.45.151:443
71.30.56.170:443
184.191.62.78:443
73.195.20.237:443
173.3.132.17:995
71.88.220.181:443
64.19.74.29:995
47.23.101.26:465
208.126.142.17:443
66.214.75.176:443
75.97.151.96:995
45.45.105.94:995
71.226.140.73:443
45.45.105.94:443
24.229.245.124:995
76.180.69.236:443
138.122.5.214:443
174.101.35.214:443
206.51.202.106:50002
162.244.224.166:443
24.32.119.146:443
130.93.11.211:443
73.133.46.105:995
98.118.162.34:443
12.5.37.3:443
71.77.231.251:443
172.242.9.118:995
75.165.141.78:443
12.5.37.3:995
108.227.161.27:443
162.244.225.30:443
100.1.47.98:443
24.229.150.54:995
72.187.35.131:443
46.248.61.176:995
68.49.120.179:443
24.191.227.91:2222
98.252.150.180:443
184.167.2.251:2222
67.214.21.207:443
47.180.66.10:443
72.190.101.70:443
70.124.29.226:443
100.38.164.182:443
100.40.48.96:443
47.182.89.157:443
75.110.250.89:443
67.10.18.112:993
173.73.29.192:443
72.142.106.198:465
181.126.80.118:443
173.172.205.216:443
68.174.15.223:443
72.16.212.107:465
75.131.72.82:443
207.179.194.91:443
74.194.4.181:443
35.134.202.234:443
172.78.87.180:443
23.240.185.215:443
184.74.101.234:995
66.222.88.126:995
100.4.185.8:443
173.22.120.11:2222
104.3.91.20:995
73.226.220.56:443
75.90.230.120:995
75.131.72.82:995
24.189.222.222:2222
67.175.106.199:443
64.250.55.239:443
2.50.157.233:443
107.5.252.194:443
98.237.120.65:995
66.171.8.157:443
96.241.184.247:443
71.220.197.129:443
72.209.191.27:443
100.38.123.22:443
104.152.16.45:995
96.236.196.34:443
67.141.21.18:443
200.84.4.84:2222
104.191.66.184:443
96.227.138.53:443
64.203.122.88:995
108.39.114.84:443
73.239.11.160:443
47.185.43.243:443
108.190.148.31:2222
108.49.221.180:443
138.122.5.214:443
81.147.42.129:2222
47.138.5.199:443
206.255.41.196:443
71.233.73.222:995
71.80.227.238:443
201.152.128.154:995
86.140.13.103:2222
97.96.51.117:443
107.12.131.249:443
74.71.216.1:443
24.202.42.48:2222
67.246.16.250:995
75.70.218.193:443
86.169.244.41:2222
69.207.20.233:443
32.208.1.239:443
74.33.69.22:443
75.165.181.122:443
205.250.79.62:443
76.23.204.29:443
47.227.198.155:443
72.29.181.77:2078
47.146.169.85:443
176.205.63.149:995
72.28.255.159:443
184.180.157.203:2222
174.48.72.160:443
70.177.25.99:443
46.153.47.127:443
75.121.10.204:443
184.4.192.200:443
66.90.149.186:443
68.1.115.106:443
89.242.145.107:2222
74.105.139.160:443
50.78.93.74:995
2.190.199.153:443
207.178.109.161:443
216.152.7.12:443
166.62.180.194:2078
47.153.115.154:995
162.248.148.114:443
181.197.195.138:995
138.122.5.214:2222
73.84.179.163:0
117.204.232.187:995
78.13.212.163:2222
96.242.232.231:443
75.142.59.167:443
173.79.220.156:443
24.27.82.216:2222
62.103.70.217:995
98.171.66.125:443
72.228.3.116:443
Signatures
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
lhuft.exelhuft.exeidxcw.exeidxcw.exeexplorer.exelhuft.exeidxcw.exeidxcw.exepid process 4948 lhuft.exe 5000 lhuft.exe 1008 idxcw.exe 984 idxcw.exe 2616 explorer.exe 4504 lhuft.exe 4276 idxcw.exe 3968 idxcw.exe -
Executes dropped EXE 4 IoCs
Processes:
idxcw.exeidxcw.exeidxcw.exeidxcw.exepid process 1008 idxcw.exe 984 idxcw.exe 4276 idxcw.exe 3968 idxcw.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmfwahas = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Tiepdci\\idxcw.exe\"" explorer.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
lhuft.exeidxcw.exeidxcw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc lhuft.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc lhuft.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service idxcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 lhuft.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc idxcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 idxcw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service lhuft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service lhuft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 lhuft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 idxcw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc idxcw.exe -
Turn off Windows Defender SpyNet reporting 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" reg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
lhuft.exeidxcw.exelhuft.exeidxcw.exedescription pid process target process PID 4948 wrote to memory of 5000 4948 lhuft.exe lhuft.exe PID 4948 wrote to memory of 1008 4948 lhuft.exe idxcw.exe PID 4948 wrote to memory of 1816 4948 lhuft.exe schtasks.exe PID 1008 wrote to memory of 984 1008 idxcw.exe idxcw.exe PID 1008 wrote to memory of 2616 1008 idxcw.exe explorer.exe PID 4504 wrote to memory of 4560 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4328 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4680 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4628 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4764 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4716 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4420 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 3880 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4296 4504 lhuft.exe reg.exe PID 4504 wrote to memory of 4276 4504 lhuft.exe idxcw.exe PID 4504 wrote to memory of 4036 4504 lhuft.exe cmd.exe PID 4504 wrote to memory of 4020 4504 lhuft.exe schtasks.exe PID 4276 wrote to memory of 3968 4276 idxcw.exe idxcw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
idxcw.exepid process 1008 idxcw.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci = "0" reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lhuft.exe"C:\Users\Admin\AppData\Local\Temp\lhuft.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lhuft.exeC:\Users\Admin\AppData\Local\Temp\lhuft.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn gojzccx /tr "\"C:\Users\Admin\AppData\Local\Temp\lhuft.exe\" /I gojzccx" /SC ONCE /Z /ST 23:20 /ET 23:322⤵
-
C:\Users\Admin\AppData\Local\Temp\lhuft.exeC:\Users\Admin\AppData\Local\Temp\lhuft.exe /I gojzccx1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
- Turn off Windows Defender SpyNet reporting
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci" /d "0"2⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe /C3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\lhuft.exe"2⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN gojzccx2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tiepdci\idxcw.exe
-
memory/984-4-0x0000000002B70000-0x0000000002B71000-memory.dmpFilesize
4KB
-
memory/1008-5-0x0000000002AF0000-0x0000000002B82000-memory.dmpFilesize
584KB
-
memory/3968-9-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/5000-0-0x0000000002B50000-0x0000000002B51000-memory.dmpFilesize
4KB