Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 01:27
Static task
static1
Behavioral task
behavioral1
Sample
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe
Resource
win10-en-20211208
General
-
Target
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe
-
Size
92KB
-
MD5
985e819294cdc3b5561c5befa4bcbc5b
-
SHA1
7dd8c325b377a9dbcccc0d9c39ebb553a7fd2b93
-
SHA256
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c
-
SHA512
d8e4e8aa91b2ec09eec0f7a8bf7375f46afcc8cbe33d5d65a36c9d2eeb6883eaa7ebd09f03382a99efed9acb6b258cbfde369780c0a96e2a014722669352717b
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1876 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exeAdobeUpdate.exepid process 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe 1876 AdobeUpdate.exe 1876 AdobeUpdate.exe 1876 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exedescription pid process Token: SeIncBasePriorityPrivilege 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.execmd.exedescription pid process target process PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1876 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 528 wrote to memory of 1652 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 528 wrote to memory of 1652 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 528 wrote to memory of 1652 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 528 wrote to memory of 1652 528 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1640 1652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe"C:\Users\Admin\AppData\Local\Temp\00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
65313bf2e2cf307a36ab9ceb35e35d63
SHA15a51331d15ebe97b2e16f65aba7556d4b83158af
SHA256e9cada434ea6024bfae7a357d8c5d5512b6a3321d5c25f78953d519c8837b937
SHA51265d77ba4b689abc7027443d9d12d0b0b8581a0aba024655a474be044434dcd51ab15ff553e9502e1e6d44ad197d05126b8a201e7d9a5e426b019ddca257a7c82
-
MD5
65313bf2e2cf307a36ab9ceb35e35d63
SHA15a51331d15ebe97b2e16f65aba7556d4b83158af
SHA256e9cada434ea6024bfae7a357d8c5d5512b6a3321d5c25f78953d519c8837b937
SHA51265d77ba4b689abc7027443d9d12d0b0b8581a0aba024655a474be044434dcd51ab15ff553e9502e1e6d44ad197d05126b8a201e7d9a5e426b019ddca257a7c82
-
MD5
65313bf2e2cf307a36ab9ceb35e35d63
SHA15a51331d15ebe97b2e16f65aba7556d4b83158af
SHA256e9cada434ea6024bfae7a357d8c5d5512b6a3321d5c25f78953d519c8837b937
SHA51265d77ba4b689abc7027443d9d12d0b0b8581a0aba024655a474be044434dcd51ab15ff553e9502e1e6d44ad197d05126b8a201e7d9a5e426b019ddca257a7c82
-
MD5
65313bf2e2cf307a36ab9ceb35e35d63
SHA15a51331d15ebe97b2e16f65aba7556d4b83158af
SHA256e9cada434ea6024bfae7a357d8c5d5512b6a3321d5c25f78953d519c8837b937
SHA51265d77ba4b689abc7027443d9d12d0b0b8581a0aba024655a474be044434dcd51ab15ff553e9502e1e6d44ad197d05126b8a201e7d9a5e426b019ddca257a7c82
-
MD5
65313bf2e2cf307a36ab9ceb35e35d63
SHA15a51331d15ebe97b2e16f65aba7556d4b83158af
SHA256e9cada434ea6024bfae7a357d8c5d5512b6a3321d5c25f78953d519c8837b937
SHA51265d77ba4b689abc7027443d9d12d0b0b8581a0aba024655a474be044434dcd51ab15ff553e9502e1e6d44ad197d05126b8a201e7d9a5e426b019ddca257a7c82
-
MD5
65313bf2e2cf307a36ab9ceb35e35d63
SHA15a51331d15ebe97b2e16f65aba7556d4b83158af
SHA256e9cada434ea6024bfae7a357d8c5d5512b6a3321d5c25f78953d519c8837b937
SHA51265d77ba4b689abc7027443d9d12d0b0b8581a0aba024655a474be044434dcd51ab15ff553e9502e1e6d44ad197d05126b8a201e7d9a5e426b019ddca257a7c82