Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 22:37
Static task
static1
Behavioral task
behavioral1
Sample
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe
Resource
win10-en-20211208
General
-
Target
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe
-
Size
92KB
-
MD5
124089995494be38d866de08c12f99ef
-
SHA1
8f9d32b0c754b53ee78d8ab538c27f980c5d523d
-
SHA256
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930
-
SHA512
06e021f6663f3a56a993bffc8f14320c6cfa720dfccf9fec6458b43445dacb9f38d570c7239e09884bb9faf86ff12e5791d57773c86b9342aa1afd3363f09fc6
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1552 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exeAdobeUpdate.exepid process 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe 1552 AdobeUpdate.exe 1552 AdobeUpdate.exe 1552 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exedescription pid process Token: SeIncBasePriorityPrivilege 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.execmd.exedescription pid process target process PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 1552 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 1280 wrote to memory of 744 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 1280 wrote to memory of 744 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 1280 wrote to memory of 744 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 1280 wrote to memory of 744 1280 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 744 wrote to memory of 1808 744 cmd.exe PING.EXE PID 744 wrote to memory of 1808 744 cmd.exe PING.EXE PID 744 wrote to memory of 1808 744 cmd.exe PING.EXE PID 744 wrote to memory of 1808 744 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe"C:\Users\Admin\AppData\Local\Temp\0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4ceb89ebc10133f4a5d1b92b4fb3b7c7
SHA1f55ba406d273640073c85c7ebd5ddecf2f553269
SHA2565343f74e2b293f5d7ba500d9bad2dec8549020983e1ec78b3586ba1becf51ec6
SHA512d2ff7fe24c4fdc36098db84043ccd10f0b2b308cf04210167cf3bf1e7781fc949297ecedb30c561c3bee2eb689731e9899f3f128edaaf75ca24216a1a5a1fbff
-
MD5
4ceb89ebc10133f4a5d1b92b4fb3b7c7
SHA1f55ba406d273640073c85c7ebd5ddecf2f553269
SHA2565343f74e2b293f5d7ba500d9bad2dec8549020983e1ec78b3586ba1becf51ec6
SHA512d2ff7fe24c4fdc36098db84043ccd10f0b2b308cf04210167cf3bf1e7781fc949297ecedb30c561c3bee2eb689731e9899f3f128edaaf75ca24216a1a5a1fbff
-
MD5
4ceb89ebc10133f4a5d1b92b4fb3b7c7
SHA1f55ba406d273640073c85c7ebd5ddecf2f553269
SHA2565343f74e2b293f5d7ba500d9bad2dec8549020983e1ec78b3586ba1becf51ec6
SHA512d2ff7fe24c4fdc36098db84043ccd10f0b2b308cf04210167cf3bf1e7781fc949297ecedb30c561c3bee2eb689731e9899f3f128edaaf75ca24216a1a5a1fbff
-
MD5
4ceb89ebc10133f4a5d1b92b4fb3b7c7
SHA1f55ba406d273640073c85c7ebd5ddecf2f553269
SHA2565343f74e2b293f5d7ba500d9bad2dec8549020983e1ec78b3586ba1becf51ec6
SHA512d2ff7fe24c4fdc36098db84043ccd10f0b2b308cf04210167cf3bf1e7781fc949297ecedb30c561c3bee2eb689731e9899f3f128edaaf75ca24216a1a5a1fbff
-
MD5
4ceb89ebc10133f4a5d1b92b4fb3b7c7
SHA1f55ba406d273640073c85c7ebd5ddecf2f553269
SHA2565343f74e2b293f5d7ba500d9bad2dec8549020983e1ec78b3586ba1becf51ec6
SHA512d2ff7fe24c4fdc36098db84043ccd10f0b2b308cf04210167cf3bf1e7781fc949297ecedb30c561c3bee2eb689731e9899f3f128edaaf75ca24216a1a5a1fbff
-
MD5
4ceb89ebc10133f4a5d1b92b4fb3b7c7
SHA1f55ba406d273640073c85c7ebd5ddecf2f553269
SHA2565343f74e2b293f5d7ba500d9bad2dec8549020983e1ec78b3586ba1becf51ec6
SHA512d2ff7fe24c4fdc36098db84043ccd10f0b2b308cf04210167cf3bf1e7781fc949297ecedb30c561c3bee2eb689731e9899f3f128edaaf75ca24216a1a5a1fbff