Analysis
-
max time kernel
118s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 01:27
Static task
static1
Behavioral task
behavioral1
Sample
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe
Resource
win10-en-20211208
General
-
Target
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe
-
Size
92KB
-
MD5
985e819294cdc3b5561c5befa4bcbc5b
-
SHA1
7dd8c325b377a9dbcccc0d9c39ebb553a7fd2b93
-
SHA256
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c
-
SHA512
d8e4e8aa91b2ec09eec0f7a8bf7375f46afcc8cbe33d5d65a36c9d2eeb6883eaa7ebd09f03382a99efed9acb6b258cbfde369780c0a96e2a014722669352717b
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 2752 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exedescription pid process Token: SeIncBasePriorityPrivilege 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.execmd.exedescription pid process target process PID 2764 wrote to memory of 2752 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 2764 wrote to memory of 2752 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 2764 wrote to memory of 2752 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe AdobeUpdate.exe PID 2764 wrote to memory of 2168 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 2764 wrote to memory of 2168 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 2764 wrote to memory of 2168 2764 00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe cmd.exe PID 2168 wrote to memory of 1748 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 1748 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 1748 2168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe"C:\Users\Admin\AppData\Local\Temp\00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\00a8ca14cdfc97e0140c090c8d832c88db1dc9ee728e409eba5489f0dc29037c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d9b781ee1739e374aeb89a95cd0143ab
SHA132538310a2be254084241d096e8f66fb2a0d491b
SHA256fbb5281b049581d5c3cd90e9ed70ea3bfe93991713d0b152b16d8c1ced007db0
SHA51219bb56bfa6811975278952cffb0549e7a4c73740146163ae9202f0c9cc51cc742848799745bfb441ac0c638ccdfa67cf74857230544b36ff8b2da0413856cbdd
-
MD5
d9b781ee1739e374aeb89a95cd0143ab
SHA132538310a2be254084241d096e8f66fb2a0d491b
SHA256fbb5281b049581d5c3cd90e9ed70ea3bfe93991713d0b152b16d8c1ced007db0
SHA51219bb56bfa6811975278952cffb0549e7a4c73740146163ae9202f0c9cc51cc742848799745bfb441ac0c638ccdfa67cf74857230544b36ff8b2da0413856cbdd