Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-11-2020 19:29
Static task
static1
Behavioral task
behavioral1
Sample
161120.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
161120.exe
Resource
win10v20201028
General
-
Target
161120.exe
-
Size
340KB
-
MD5
0a7ab9da9997bf3f75ec4549a9b9daf0
-
SHA1
d5ffba8afc0cccf2a3194c572db74605dd8879d3
-
SHA256
1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8
-
SHA512
3f03bd23458e05469df1623e55a71b6bdad1c7a9af2bf8e7f8750406bd17e759d8b1049ed1531aeee9da503fa86d692bc29ec1a94126be6ff20b647e2840ffbe
Malware Config
Extracted
smokeloader
2020
http://cent.live/
Extracted
qakbot
tr01
1604997522
122.61.213.85:443
2.50.89.119:995
189.183.201.0:443
86.98.145.152:2222
96.241.66.126:443
90.101.117.122:2222
94.69.112.148:2222
81.150.181.168:2222
82.127.125.209:2222
81.214.126.173:2222
86.140.82.116:20
172.87.157.235:443
176.181.247.197:443
78.97.110.47:443
5.15.90.117:2222
41.206.131.156:443
151.73.112.67:443
82.127.125.209:990
197.45.110.165:995
81.133.234.36:2222
37.6.222.192:995
118.100.108.25:443
86.97.162.141:2222
74.129.26.119:443
37.116.152.122:2222
92.154.83.96:1194
45.32.154.10:443
45.63.107.192:443
207.246.75.201:443
59.99.38.231:443
45.63.107.192:2222
195.97.101.40:443
45.63.107.192:995
199.247.16.80:443
199.247.22.145:443
80.240.26.178:443
108.52.39.68:443
203.106.195.67:443
2.50.143.154:2222
73.166.10.38:443
84.232.252.202:2222
47.146.39.147:443
69.40.22.180:443
73.239.229.107:995
71.187.177.20:443
50.244.112.90:443
67.61.157.208:443
45.118.65.34:443
217.128.117.218:2222
47.22.148.6:443
50.82.55.69:443
75.136.40.155:443
82.76.47.211:443
68.186.192.69:443
71.187.170.235:443
2.50.244.155:443
80.14.209.42:2222
196.204.207.111:443
78.132.115.83:6881
180.233.150.134:443
185.163.221.77:2222
41.206.131.166:443
149.28.99.97:2222
149.28.99.97:443
149.28.99.97:995
117.199.12.148:443
83.110.12.0:2222
2.50.110.49:2078
93.86.252.177:995
79.113.242.120:443
68.174.15.223:443
94.52.160.116:443
41.205.16.176:443
84.117.176.32:443
217.133.54.140:32100
185.105.131.233:443
87.27.110.90:2222
77.159.149.74:443
105.101.88.222:443
185.246.9.69:995
188.25.24.21:2222
2.90.127.64:443
86.97.191.98:2222
31.5.168.31:443
41.225.13.128:8443
24.205.42.241:443
41.97.173.199:443
105.198.236.101:443
190.220.8.10:995
197.161.154.132:443
24.90.129.73:443
120.150.34.178:443
122.60.99.107:443
27.223.92.142:995
96.41.93.96:443
109.209.94.165:2222
189.231.189.64:443
58.179.21.147:995
2.51.153.24:443
149.135.101.20:443
74.135.122.35:443
82.127.125.209:22
96.21.251.127:2222
98.116.20.194:443
39.32.61.193:995
173.173.1.164:443
109.205.204.229:2222
78.96.199.79:443
73.136.242.114:443
198.2.35.226:2222
156.205.170.226:995
117.197.231.67:443
41.227.93.43:443
89.136.39.108:443
207.246.70.216:443
45.32.165.134:443
45.32.162.253:443
140.82.27.132:443
37.106.36.31:995
45.63.104.123:443
63.155.67.114:995
96.30.198.161:443
95.179.247.224:443
188.27.32.167:443
108.31.15.10:995
81.88.254.62:443
184.66.18.83:443
73.55.254.225:443
184.98.97.227:995
216.215.77.18:2222
5.32.41.46:443
144.139.230.139:443
69.47.26.41:443
197.86.204.198:443
72.241.205.69:443
89.137.211.239:443
86.122.246.127:2222
197.47.160.202:995
24.137.76.62:995
86.248.30.56:2222
31.5.21.66:443
212.70.107.59:995
2.7.202.106:2222
72.36.59.46:2222
71.238.211.125:443
2.181.78.140:2222
81.97.154.100:443
47.44.217.98:443
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 4 IoCs
Processes:
3394.exe3394.exeyartramt.exeyartramt.exepid process 4012 3394.exe 2340 3394.exe 3908 yartramt.exe 2196 yartramt.exe -
Deletes itself 1 IoCs
Processes:
pid process 3016 -
Loads dropped DLL 1 IoCs
Processes:
161120.exepid process 492 161120.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
161120.exe3394.exeyartramt.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 161120.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 3394.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 3394.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 yartramt.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 161120.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 3394.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 3394.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service yartramt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc yartramt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service yartramt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 161120.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 3394.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 3394.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc yartramt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 yartramt.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1216 IoCs
Processes:
161120.exepid process 492 161120.exe 492 161120.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 -
Suspicious behavior: MapViewOfSection 32 IoCs
Processes:
161120.exeyartramt.exepid process 492 161120.exe 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3016 3908 yartramt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3016 -
Suspicious use of WriteProcessMemory 74 IoCs
Processes:
3394.exedescription pid process target process PID 3016 wrote to memory of 4012 3016 3394.exe PID 3016 wrote to memory of 4012 3016 3394.exe PID 3016 wrote to memory of 4012 3016 3394.exe PID 3016 wrote to memory of 208 3016 explorer.exe PID 3016 wrote to memory of 208 3016 explorer.exe PID 3016 wrote to memory of 208 3016 explorer.exe PID 3016 wrote to memory of 208 3016 explorer.exe PID 3016 wrote to memory of 2232 3016 explorer.exe PID 3016 wrote to memory of 2232 3016 explorer.exe PID 3016 wrote to memory of 2232 3016 explorer.exe PID 3016 wrote to memory of 636 3016 explorer.exe PID 3016 wrote to memory of 636 3016 explorer.exe PID 3016 wrote to memory of 636 3016 explorer.exe PID 3016 wrote to memory of 636 3016 explorer.exe PID 3016 wrote to memory of 3056 3016 explorer.exe PID 3016 wrote to memory of 3056 3016 explorer.exe PID 3016 wrote to memory of 3056 3016 explorer.exe PID 3016 wrote to memory of 3056 3016 explorer.exe PID 3016 wrote to memory of 1736 3016 explorer.exe PID 3016 wrote to memory of 1736 3016 explorer.exe PID 3016 wrote to memory of 1736 3016 explorer.exe PID 3016 wrote to memory of 1736 3016 explorer.exe PID 4012 wrote to memory of 2340 4012 3394.exe 3394.exe PID 4012 wrote to memory of 2340 4012 3394.exe 3394.exe PID 4012 wrote to memory of 2340 4012 3394.exe 3394.exe PID 3016 wrote to memory of 3144 3016 explorer.exe PID 3016 wrote to memory of 3144 3016 explorer.exe PID 3016 wrote to memory of 3144 3016 explorer.exe PID 3016 wrote to memory of 1336 3016 explorer.exe PID 3016 wrote to memory of 1336 3016 explorer.exe PID 3016 wrote to memory of 1336 3016 explorer.exe PID 3016 wrote to memory of 1336 3016 explorer.exe PID 3016 wrote to memory of 3452 3016 explorer.exe PID 3016 wrote to memory of 3452 3016 explorer.exe PID 3016 wrote to memory of 3452 3016 explorer.exe PID 3016 wrote to memory of 1532 3016 explorer.exe PID 3016 wrote to memory of 1532 3016 explorer.exe PID 3016 wrote to memory of 1532 3016 explorer.exe PID 3016 wrote to memory of 1532 3016 explorer.exe PID 3016 wrote to memory of 2656 3016 explorer.exe PID 3016 wrote to memory of 2656 3016 explorer.exe PID 3016 wrote to memory of 2656 3016 explorer.exe PID 3016 wrote to memory of 3392 3016 explorer.exe PID 3016 wrote to memory of 3392 3016 explorer.exe PID 3016 wrote to memory of 3392 3016 explorer.exe PID 3016 wrote to memory of 3392 3016 explorer.exe PID 3016 wrote to memory of 2164 3016 explorer.exe PID 3016 wrote to memory of 2164 3016 explorer.exe PID 3016 wrote to memory of 2164 3016 explorer.exe PID 3016 wrote to memory of 2164 3016 explorer.exe PID 3016 wrote to memory of 1204 3016 explorer.exe PID 3016 wrote to memory of 1204 3016 explorer.exe PID 3016 wrote to memory of 1204 3016 explorer.exe PID 3016 wrote to memory of 1204 3016 explorer.exe PID 3016 wrote to memory of 3232 3016 explorer.exe PID 3016 wrote to memory of 3232 3016 explorer.exe PID 3016 wrote to memory of 3232 3016 explorer.exe PID 3016 wrote to memory of 3976 3016 explorer.exe PID 3016 wrote to memory of 3976 3016 explorer.exe PID 3016 wrote to memory of 3976 3016 explorer.exe PID 3016 wrote to memory of 3976 3016 explorer.exe PID 4012 wrote to memory of 3908 4012 3394.exe yartramt.exe PID 4012 wrote to memory of 3908 4012 3394.exe yartramt.exe PID 4012 wrote to memory of 3908 4012 3394.exe yartramt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\161120.exe"C:\Users\Admin\AppData\Local\Temp\161120.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:492
-
C:\Users\Admin\AppData\Local\Temp\3394.exeC:\Users\Admin\AppData\Local\Temp\3394.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\3394.exeC:\Users\Admin\AppData\Local\Temp\3394.exe /C2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2340
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:3908 -
C:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Xfldy\yartramt.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2196
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:3328
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn mpuarlxnea /tr "\"C:\Users\Admin\AppData\Local\Temp\3394.exe\" /I mpuarlxnea" /SC ONCE /Z /ST 20:29 /ET 20:412⤵
- Creates scheduled task(s)
PID:3448
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:208
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2232
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:636
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3056
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1736
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3144
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1336
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3452
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1532
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3392
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2164
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2656
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1204
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3232
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ba98119e8d3b219a5ff1d3984a5f1bd0
SHA11de245ea6d17394a769da39711d8cde6eea88b4c
SHA256c4d55748a4499a17b13c62635b1a9137882739afdd05e855f3248b01541747b5
SHA512589d5ee340c4117227cc0583236d625648d6f185800fee61077066c8b2d4424f3cc84212f8f77e6b3dcbfa3f872ed7264228b29a9ae71de3d6557fc7b917ccb7
-
MD5
ba98119e8d3b219a5ff1d3984a5f1bd0
SHA11de245ea6d17394a769da39711d8cde6eea88b4c
SHA256c4d55748a4499a17b13c62635b1a9137882739afdd05e855f3248b01541747b5
SHA512589d5ee340c4117227cc0583236d625648d6f185800fee61077066c8b2d4424f3cc84212f8f77e6b3dcbfa3f872ed7264228b29a9ae71de3d6557fc7b917ccb7
-
MD5
ba98119e8d3b219a5ff1d3984a5f1bd0
SHA11de245ea6d17394a769da39711d8cde6eea88b4c
SHA256c4d55748a4499a17b13c62635b1a9137882739afdd05e855f3248b01541747b5
SHA512589d5ee340c4117227cc0583236d625648d6f185800fee61077066c8b2d4424f3cc84212f8f77e6b3dcbfa3f872ed7264228b29a9ae71de3d6557fc7b917ccb7
-
MD5
8f1a8af50ffcaab836cfdd268a2b8f00
SHA16ad4e21ba9f7f5eab7e193fabeef6517de99c0a0
SHA256cd94932ac4a8fc9b92949e186330171ca045bd251b999c8467e57023f56fd545
SHA5128ed4348000c92af99e4ef8c859a6a57e6f880dab12ff81235a568435432961a2ddade4599dcfd5890ef97a017069f93096ed6173f3ac5c6c3a4749515acf3371
-
MD5
ba98119e8d3b219a5ff1d3984a5f1bd0
SHA11de245ea6d17394a769da39711d8cde6eea88b4c
SHA256c4d55748a4499a17b13c62635b1a9137882739afdd05e855f3248b01541747b5
SHA512589d5ee340c4117227cc0583236d625648d6f185800fee61077066c8b2d4424f3cc84212f8f77e6b3dcbfa3f872ed7264228b29a9ae71de3d6557fc7b917ccb7
-
MD5
ba98119e8d3b219a5ff1d3984a5f1bd0
SHA11de245ea6d17394a769da39711d8cde6eea88b4c
SHA256c4d55748a4499a17b13c62635b1a9137882739afdd05e855f3248b01541747b5
SHA512589d5ee340c4117227cc0583236d625648d6f185800fee61077066c8b2d4424f3cc84212f8f77e6b3dcbfa3f872ed7264228b29a9ae71de3d6557fc7b917ccb7
-
MD5
ba98119e8d3b219a5ff1d3984a5f1bd0
SHA11de245ea6d17394a769da39711d8cde6eea88b4c
SHA256c4d55748a4499a17b13c62635b1a9137882739afdd05e855f3248b01541747b5
SHA512589d5ee340c4117227cc0583236d625648d6f185800fee61077066c8b2d4424f3cc84212f8f77e6b3dcbfa3f872ed7264228b29a9ae71de3d6557fc7b917ccb7
-
MD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3