Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe
Resource
win10-en-20211208
General
-
Target
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe
-
Size
92KB
-
MD5
f1eb2a68d5d438e93a22b2126c812f4d
-
SHA1
cdf92217a600be39b672e7160bf966c315106f13
-
SHA256
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1
-
SHA512
a605f5199ab60f7b68d05c48dc4fb1f3467658175b267fde7bf3056ca6c47babf25ef7f7f51b70203af050d6e8618d29c846514a9485db1ae2eda313251b86f6
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1864 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exeAdobeUpdate.exepid process 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe 1864 AdobeUpdate.exe 1864 AdobeUpdate.exe 1864 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exedescription pid process Token: SeIncBasePriorityPrivilege 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.execmd.exedescription pid process target process PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 1864 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 952 wrote to memory of 2012 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 952 wrote to memory of 2012 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 952 wrote to memory of 2012 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 952 wrote to memory of 2012 952 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE PID 2012 wrote to memory of 1140 2012 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe"C:\Users\Admin\AppData\Local\Temp\8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
626ff5ef055b8f083d954d6a6608bb64
SHA15c168c28c51332799d13e44d158c0d9b5dbf7fb0
SHA2562a4431e6332825095ff5dde91df3d01c5c3a89123e0fe97816d32e8a27e265d0
SHA512b33a4069699040b318897e1d23f87c38e0c8e36f90cf076dfc84f3726972e872fcf999e339aace1399cd3a321e18b6b90b85076104cc004c067f85602748b226
-
MD5
626ff5ef055b8f083d954d6a6608bb64
SHA15c168c28c51332799d13e44d158c0d9b5dbf7fb0
SHA2562a4431e6332825095ff5dde91df3d01c5c3a89123e0fe97816d32e8a27e265d0
SHA512b33a4069699040b318897e1d23f87c38e0c8e36f90cf076dfc84f3726972e872fcf999e339aace1399cd3a321e18b6b90b85076104cc004c067f85602748b226
-
MD5
626ff5ef055b8f083d954d6a6608bb64
SHA15c168c28c51332799d13e44d158c0d9b5dbf7fb0
SHA2562a4431e6332825095ff5dde91df3d01c5c3a89123e0fe97816d32e8a27e265d0
SHA512b33a4069699040b318897e1d23f87c38e0c8e36f90cf076dfc84f3726972e872fcf999e339aace1399cd3a321e18b6b90b85076104cc004c067f85602748b226
-
MD5
626ff5ef055b8f083d954d6a6608bb64
SHA15c168c28c51332799d13e44d158c0d9b5dbf7fb0
SHA2562a4431e6332825095ff5dde91df3d01c5c3a89123e0fe97816d32e8a27e265d0
SHA512b33a4069699040b318897e1d23f87c38e0c8e36f90cf076dfc84f3726972e872fcf999e339aace1399cd3a321e18b6b90b85076104cc004c067f85602748b226
-
MD5
626ff5ef055b8f083d954d6a6608bb64
SHA15c168c28c51332799d13e44d158c0d9b5dbf7fb0
SHA2562a4431e6332825095ff5dde91df3d01c5c3a89123e0fe97816d32e8a27e265d0
SHA512b33a4069699040b318897e1d23f87c38e0c8e36f90cf076dfc84f3726972e872fcf999e339aace1399cd3a321e18b6b90b85076104cc004c067f85602748b226
-
MD5
626ff5ef055b8f083d954d6a6608bb64
SHA15c168c28c51332799d13e44d158c0d9b5dbf7fb0
SHA2562a4431e6332825095ff5dde91df3d01c5c3a89123e0fe97816d32e8a27e265d0
SHA512b33a4069699040b318897e1d23f87c38e0c8e36f90cf076dfc84f3726972e872fcf999e339aace1399cd3a321e18b6b90b85076104cc004c067f85602748b226