Analysis
-
max time kernel
179s -
max time network
183s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe
Resource
win10-en-20211208
General
-
Target
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe
-
Size
92KB
-
MD5
f1eb2a68d5d438e93a22b2126c812f4d
-
SHA1
cdf92217a600be39b672e7160bf966c315106f13
-
SHA256
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1
-
SHA512
a605f5199ab60f7b68d05c48dc4fb1f3467658175b267fde7bf3056ca6c47babf25ef7f7f51b70203af050d6e8618d29c846514a9485db1ae2eda313251b86f6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1304 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exedescription pid process Token: SeIncBasePriorityPrivilege 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.execmd.exedescription pid process target process PID 3792 wrote to memory of 1304 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 3792 wrote to memory of 1304 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 3792 wrote to memory of 1304 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe AdobeUpdate.exe PID 3792 wrote to memory of 1352 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 3792 wrote to memory of 1352 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 3792 wrote to memory of 1352 3792 8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe cmd.exe PID 1352 wrote to memory of 2912 1352 cmd.exe PING.EXE PID 1352 wrote to memory of 2912 1352 cmd.exe PING.EXE PID 1352 wrote to memory of 2912 1352 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe"C:\Users\Admin\AppData\Local\Temp\8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\8d1c5699b7d49a787ed0c43b51e887ad8738b499f8d6f1a8b811566859827dd1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ea80c2ca0877efbd8d0148028eef868f
SHA14e3f45ca3cf7475b0aea6acd7abec400426e37aa
SHA2563efe7118269909c7e78c8c5b538c6bc14ebb46003a5c75e245cbfea272c8c443
SHA5121e59c500470c8875b7071e88318543f7586d4b31c6d4e143ac5f8e2bbd631da6734526348688cb8b0fc49eda9e1acb4e29d37293fc43e7d99107ef93fae98484
-
MD5
ea80c2ca0877efbd8d0148028eef868f
SHA14e3f45ca3cf7475b0aea6acd7abec400426e37aa
SHA2563efe7118269909c7e78c8c5b538c6bc14ebb46003a5c75e245cbfea272c8c443
SHA5121e59c500470c8875b7071e88318543f7586d4b31c6d4e143ac5f8e2bbd631da6734526348688cb8b0fc49eda9e1acb4e29d37293fc43e7d99107ef93fae98484