Analysis
-
max time kernel
179s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 22:37
Static task
static1
Behavioral task
behavioral1
Sample
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe
Resource
win10-en-20211208
General
-
Target
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe
-
Size
92KB
-
MD5
124089995494be38d866de08c12f99ef
-
SHA1
8f9d32b0c754b53ee78d8ab538c27f980c5d523d
-
SHA256
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930
-
SHA512
06e021f6663f3a56a993bffc8f14320c6cfa720dfccf9fec6458b43445dacb9f38d570c7239e09884bb9faf86ff12e5791d57773c86b9342aa1afd3363f09fc6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1140 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exedescription pid process Token: SeIncBasePriorityPrivilege 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.execmd.exedescription pid process target process PID 3064 wrote to memory of 1140 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 3064 wrote to memory of 1140 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 3064 wrote to memory of 1140 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe AdobeUpdate.exe PID 3064 wrote to memory of 2156 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 3064 wrote to memory of 2156 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 3064 wrote to memory of 2156 3064 0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe cmd.exe PID 2156 wrote to memory of 1268 2156 cmd.exe PING.EXE PID 2156 wrote to memory of 1268 2156 cmd.exe PING.EXE PID 2156 wrote to memory of 1268 2156 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe"C:\Users\Admin\AppData\Local\Temp\0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0df2c40c53e601e9128c2644c10c8d7a9e4dd9d8fffc5d27b6f28df7b7ff8930.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d85bacb99592e718dec072eedd2353e2
SHA11fe4469c5a23347ac1aecd687eb0ebf59a2b85c9
SHA2565502dacc3c5b4694e271eb526b98a24f5987f88b6e088b30f268ae63bd493d19
SHA512945a9f4294a6e73dae569f3ac0e2ed5f02eda57462c0a2e75219a466ca27d47d8f9c9517e0f7a7683ca733712ec8e219f1213b8d9761002995198a7ca8f0ef68
-
MD5
d85bacb99592e718dec072eedd2353e2
SHA11fe4469c5a23347ac1aecd687eb0ebf59a2b85c9
SHA2565502dacc3c5b4694e271eb526b98a24f5987f88b6e088b30f268ae63bd493d19
SHA512945a9f4294a6e73dae569f3ac0e2ed5f02eda57462c0a2e75219a466ca27d47d8f9c9517e0f7a7683ca733712ec8e219f1213b8d9761002995198a7ca8f0ef68