Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 21:27
Static task
static1
Behavioral task
behavioral1
Sample
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe
Resource
win10-en-20211208
General
-
Target
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe
-
Size
92KB
-
MD5
28771cb939b989e2ab898408ccaf5504
-
SHA1
266eac16a3fd721ac7b99c238437e59f0e0ccb14
-
SHA256
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5
-
SHA512
b4c85910daf5c6d419dd939e3a86c4451fb18993ba83accc097ab7ea95e71fb18f5a6d30ca8e446184b7ed2b187841462cf786dbf4cf660c2b8fe40d24e474df
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1448 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exedescription pid process Token: SeIncBasePriorityPrivilege 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.execmd.exedescription pid process target process PID 1276 wrote to memory of 1448 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe AdobeUpdate.exe PID 1276 wrote to memory of 1448 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe AdobeUpdate.exe PID 1276 wrote to memory of 1448 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe AdobeUpdate.exe PID 1276 wrote to memory of 1128 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe cmd.exe PID 1276 wrote to memory of 1128 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe cmd.exe PID 1276 wrote to memory of 1128 1276 9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe cmd.exe PID 1128 wrote to memory of 3896 1128 cmd.exe PING.EXE PID 1128 wrote to memory of 3896 1128 cmd.exe PING.EXE PID 1128 wrote to memory of 3896 1128 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe"C:\Users\Admin\AppData\Local\Temp\9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9c320f1de18921854ad375f5b949f8e825f6d6c4b2805b8b7a09e0d7d73c5ed5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a3cb65982f62ebabd9f12f5550a450d4
SHA1ff3f144742b9fd384f3959eb8b77f6cfb726fce5
SHA2565f733f48ea550b8f02a7b1ea0a58dca6b6057af7fefb63719c7430547b85e640
SHA5124820faaf4a438e0a79a3b5182519e76991f16615b3a29f847fd44077c03718170142656c24e8300bb9cf255d8711a182e8fed7dd5156651629996b85194ea1f7
-
MD5
a3cb65982f62ebabd9f12f5550a450d4
SHA1ff3f144742b9fd384f3959eb8b77f6cfb726fce5
SHA2565f733f48ea550b8f02a7b1ea0a58dca6b6057af7fefb63719c7430547b85e640
SHA5124820faaf4a438e0a79a3b5182519e76991f16615b3a29f847fd44077c03718170142656c24e8300bb9cf255d8711a182e8fed7dd5156651629996b85194ea1f7