Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe
Resource
win10-en-20211208
General
-
Target
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe
-
Size
92KB
-
MD5
0334b1043c62d48525a29aeb95afcb09
-
SHA1
b934a7fd3d449934423f5bd7b2e5496e0377ede2
-
SHA256
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79
-
SHA512
a78696f91d10f881068191f8335dabd154a18920f210c37c7d7aa574f55b9cc402e3c1125c6177a0887b272c44614d890269253da529937b53ca6b28d591e707
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 828 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1964 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exeAdobeUpdate.exepid process 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe 828 AdobeUpdate.exe 828 AdobeUpdate.exe 828 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exedescription pid process Token: SeIncBasePriorityPrivilege 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.execmd.exedescription pid process target process PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 828 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 1664 wrote to memory of 1964 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 1664 wrote to memory of 1964 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 1664 wrote to memory of 1964 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 1664 wrote to memory of 1964 1664 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 1964 wrote to memory of 1100 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1100 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1100 1964 cmd.exe PING.EXE PID 1964 wrote to memory of 1100 1964 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe"C:\Users\Admin\AppData\Local\Temp\b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9084a0a7d80f8ea2c0d5421f1be1fb7b
SHA16e1dc718006c741377ecfc9511210881d3c71d70
SHA256ef797dfc24dd774b6b4810f98da8969c554769f571089761600f4b36ac017323
SHA5121b1c13fbde0064998e9952e976d6c635cfadc43237934b2dbb7a4d8cab227a1886a7bbafcec0b3762b714464230ac88ce05078469cb4115a8667cfe2b982c81a
-
MD5
9084a0a7d80f8ea2c0d5421f1be1fb7b
SHA16e1dc718006c741377ecfc9511210881d3c71d70
SHA256ef797dfc24dd774b6b4810f98da8969c554769f571089761600f4b36ac017323
SHA5121b1c13fbde0064998e9952e976d6c635cfadc43237934b2dbb7a4d8cab227a1886a7bbafcec0b3762b714464230ac88ce05078469cb4115a8667cfe2b982c81a
-
MD5
9084a0a7d80f8ea2c0d5421f1be1fb7b
SHA16e1dc718006c741377ecfc9511210881d3c71d70
SHA256ef797dfc24dd774b6b4810f98da8969c554769f571089761600f4b36ac017323
SHA5121b1c13fbde0064998e9952e976d6c635cfadc43237934b2dbb7a4d8cab227a1886a7bbafcec0b3762b714464230ac88ce05078469cb4115a8667cfe2b982c81a
-
MD5
9084a0a7d80f8ea2c0d5421f1be1fb7b
SHA16e1dc718006c741377ecfc9511210881d3c71d70
SHA256ef797dfc24dd774b6b4810f98da8969c554769f571089761600f4b36ac017323
SHA5121b1c13fbde0064998e9952e976d6c635cfadc43237934b2dbb7a4d8cab227a1886a7bbafcec0b3762b714464230ac88ce05078469cb4115a8667cfe2b982c81a
-
MD5
9084a0a7d80f8ea2c0d5421f1be1fb7b
SHA16e1dc718006c741377ecfc9511210881d3c71d70
SHA256ef797dfc24dd774b6b4810f98da8969c554769f571089761600f4b36ac017323
SHA5121b1c13fbde0064998e9952e976d6c635cfadc43237934b2dbb7a4d8cab227a1886a7bbafcec0b3762b714464230ac88ce05078469cb4115a8667cfe2b982c81a
-
MD5
9084a0a7d80f8ea2c0d5421f1be1fb7b
SHA16e1dc718006c741377ecfc9511210881d3c71d70
SHA256ef797dfc24dd774b6b4810f98da8969c554769f571089761600f4b36ac017323
SHA5121b1c13fbde0064998e9952e976d6c635cfadc43237934b2dbb7a4d8cab227a1886a7bbafcec0b3762b714464230ac88ce05078469cb4115a8667cfe2b982c81a