Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
Resource
win10-en-20211208
General
-
Target
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
-
Size
92KB
-
MD5
80eb86542ce7ad99acc53a9f85b01885
-
SHA1
bd89cd830863d02164c0d1d42f76b7a8d4c523fd
-
SHA256
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e
-
SHA512
fcb0f9a0790a705fd6f2bb7742650684634c7b4b2624d87aaf62f207d67fcd03ebea366bb3db04b89137da4936a5d6054abea56390d0f255b42ca9671ed99411
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1696 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 240 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exeAdobeUpdate.exepid process 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe 1696 AdobeUpdate.exe 1696 AdobeUpdate.exe 1696 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exedescription pid process Token: SeIncBasePriorityPrivilege 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.execmd.exedescription pid process target process PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 1696 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 1504 wrote to memory of 240 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 1504 wrote to memory of 240 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 1504 wrote to memory of 240 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 1504 wrote to memory of 240 1504 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 240 wrote to memory of 2032 240 cmd.exe PING.EXE PID 240 wrote to memory of 2032 240 cmd.exe PING.EXE PID 240 wrote to memory of 2032 240 cmd.exe PING.EXE PID 240 wrote to memory of 2032 240 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9d0f7110b43a6e18bc877aca54587ce3
SHA1043a3c621c746ca3012aa14aab96af39c7dfa0ee
SHA25634e5ff7d43150f67e41b058560e4e74ff76396e45768447c0f6673127df083c7
SHA512409eaeeee8095eb66b85877006dadff4d80bbdcf9eead3a9094ebfde610626a2b96f7488d4ebc6c44744d1032a54e24ad371ad1f692492bfa7287569756b1fa4
-
MD5
9d0f7110b43a6e18bc877aca54587ce3
SHA1043a3c621c746ca3012aa14aab96af39c7dfa0ee
SHA25634e5ff7d43150f67e41b058560e4e74ff76396e45768447c0f6673127df083c7
SHA512409eaeeee8095eb66b85877006dadff4d80bbdcf9eead3a9094ebfde610626a2b96f7488d4ebc6c44744d1032a54e24ad371ad1f692492bfa7287569756b1fa4
-
MD5
9d0f7110b43a6e18bc877aca54587ce3
SHA1043a3c621c746ca3012aa14aab96af39c7dfa0ee
SHA25634e5ff7d43150f67e41b058560e4e74ff76396e45768447c0f6673127df083c7
SHA512409eaeeee8095eb66b85877006dadff4d80bbdcf9eead3a9094ebfde610626a2b96f7488d4ebc6c44744d1032a54e24ad371ad1f692492bfa7287569756b1fa4
-
MD5
9d0f7110b43a6e18bc877aca54587ce3
SHA1043a3c621c746ca3012aa14aab96af39c7dfa0ee
SHA25634e5ff7d43150f67e41b058560e4e74ff76396e45768447c0f6673127df083c7
SHA512409eaeeee8095eb66b85877006dadff4d80bbdcf9eead3a9094ebfde610626a2b96f7488d4ebc6c44744d1032a54e24ad371ad1f692492bfa7287569756b1fa4
-
MD5
9d0f7110b43a6e18bc877aca54587ce3
SHA1043a3c621c746ca3012aa14aab96af39c7dfa0ee
SHA25634e5ff7d43150f67e41b058560e4e74ff76396e45768447c0f6673127df083c7
SHA512409eaeeee8095eb66b85877006dadff4d80bbdcf9eead3a9094ebfde610626a2b96f7488d4ebc6c44744d1032a54e24ad371ad1f692492bfa7287569756b1fa4
-
MD5
9d0f7110b43a6e18bc877aca54587ce3
SHA1043a3c621c746ca3012aa14aab96af39c7dfa0ee
SHA25634e5ff7d43150f67e41b058560e4e74ff76396e45768447c0f6673127df083c7
SHA512409eaeeee8095eb66b85877006dadff4d80bbdcf9eead3a9094ebfde610626a2b96f7488d4ebc6c44744d1032a54e24ad371ad1f692492bfa7287569756b1fa4