Analysis
-
max time kernel
123s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe
Resource
win10-en-20211208
General
-
Target
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe
-
Size
92KB
-
MD5
b7bd80dd344af7649b4fd6e9b7b5fd5c
-
SHA1
7af79b82d78bdc60350fcd863a2c3de4a372f74a
-
SHA256
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3
-
SHA512
c4be13b74e2ab688430c6adb01d365b1820dc21f062dce621b0bacc5ec1bd83fe04bb762a76b6c525f757d220466fd9c80455d07d91f6b4df143420535bc7908
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 2844 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exedescription pid process Token: SeIncBasePriorityPrivilege 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.execmd.exedescription pid process target process PID 2768 wrote to memory of 2844 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe AdobeUpdate.exe PID 2768 wrote to memory of 2844 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe AdobeUpdate.exe PID 2768 wrote to memory of 2844 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe AdobeUpdate.exe PID 2768 wrote to memory of 3608 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe cmd.exe PID 2768 wrote to memory of 3608 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe cmd.exe PID 2768 wrote to memory of 3608 2768 5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe cmd.exe PID 3608 wrote to memory of 2924 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 2924 3608 cmd.exe PING.EXE PID 3608 wrote to memory of 2924 3608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe"C:\Users\Admin\AppData\Local\Temp\5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\5ef197b347cbbc5e1710c61b6ed10da623d8e01766a2671886320d506e2f38d3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dab90d2b0fe3a38fa1e145037ea41f4a
SHA1d282238dcb8f3e618c973a8b3457bb2f842d5f8a
SHA256f6fe30a32046928982291030b15ce75aa0aaf8201d4519da324daf111a0496af
SHA512e5f112df38c80e0f2ddbc7b0e08c2a1ee50aad63fde75624a6c0685e506da646d50f6b5c9979349058794fa3fcff11d120100b5f9e1794fa0e827f315afb5aa9
-
MD5
dab90d2b0fe3a38fa1e145037ea41f4a
SHA1d282238dcb8f3e618c973a8b3457bb2f842d5f8a
SHA256f6fe30a32046928982291030b15ce75aa0aaf8201d4519da324daf111a0496af
SHA512e5f112df38c80e0f2ddbc7b0e08c2a1ee50aad63fde75624a6c0685e506da646d50f6b5c9979349058794fa3fcff11d120100b5f9e1794fa0e827f315afb5aa9