Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe
Resource
win10-en-20211208
General
-
Target
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe
-
Size
92KB
-
MD5
0334b1043c62d48525a29aeb95afcb09
-
SHA1
b934a7fd3d449934423f5bd7b2e5496e0377ede2
-
SHA256
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79
-
SHA512
a78696f91d10f881068191f8335dabd154a18920f210c37c7d7aa574f55b9cc402e3c1125c6177a0887b272c44614d890269253da529937b53ca6b28d591e707
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 3728 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exedescription pid process Token: SeIncBasePriorityPrivilege 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.execmd.exedescription pid process target process PID 2656 wrote to memory of 3728 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 2656 wrote to memory of 3728 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 2656 wrote to memory of 3728 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe AdobeUpdate.exe PID 2656 wrote to memory of 3584 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 2656 wrote to memory of 3584 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 2656 wrote to memory of 3584 2656 b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe cmd.exe PID 3584 wrote to memory of 1588 3584 cmd.exe PING.EXE PID 3584 wrote to memory of 1588 3584 cmd.exe PING.EXE PID 3584 wrote to memory of 1588 3584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe"C:\Users\Admin\AppData\Local\Temp\b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\b6f8b8e822b6ec9b94a32c47fef924618bb392b3bbba37b28b5352ce98080c79.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
07b95d45c7caec9e3025f891e4a7eca9
SHA18c560deb5b2a667f3e782e660b6e4a09bf72868d
SHA256f2f0e2b3ad723c6403c80eab2645e58ed337d56ab2f5879d98e8c7bdc16e0871
SHA512d95e72986cec2fae2c0da523726dab86a23f2336c7e3aa7c2ab7e839c66f6f25b3ec8797afb9e82fe863b9a9657af8b6f74241295ec6d22b6b3e0caaef655683
-
MD5
07b95d45c7caec9e3025f891e4a7eca9
SHA18c560deb5b2a667f3e782e660b6e4a09bf72868d
SHA256f2f0e2b3ad723c6403c80eab2645e58ed337d56ab2f5879d98e8c7bdc16e0871
SHA512d95e72986cec2fae2c0da523726dab86a23f2336c7e3aa7c2ab7e839c66f6f25b3ec8797afb9e82fe863b9a9657af8b6f74241295ec6d22b6b3e0caaef655683