Analysis
-
max time kernel
129s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 13:55
Static task
static1
Behavioral task
behavioral1
Sample
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
Resource
win10-en-20211208
General
-
Target
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe
-
Size
92KB
-
MD5
80eb86542ce7ad99acc53a9f85b01885
-
SHA1
bd89cd830863d02164c0d1d42f76b7a8d4c523fd
-
SHA256
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e
-
SHA512
fcb0f9a0790a705fd6f2bb7742650684634c7b4b2624d87aaf62f207d67fcd03ebea366bb3db04b89137da4936a5d6054abea56390d0f255b42ca9671ed99411
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 3452 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exedescription pid process Token: SeIncBasePriorityPrivilege 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.execmd.exedescription pid process target process PID 2640 wrote to memory of 3452 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 2640 wrote to memory of 3452 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 2640 wrote to memory of 3452 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe AdobeUpdate.exe PID 2640 wrote to memory of 3284 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 2640 wrote to memory of 3284 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 2640 wrote to memory of 3284 2640 7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe cmd.exe PID 3284 wrote to memory of 4056 3284 cmd.exe PING.EXE PID 3284 wrote to memory of 4056 3284 cmd.exe PING.EXE PID 3284 wrote to memory of 4056 3284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\7f83769b44c52df97a30633b8b7fca359b6fdb5c1fc8c74ae1da7d5040cb5f7e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
468f6e80d39e3efc53faffeadaac7700
SHA14fd2e6cb472c9ec3f186e890e647ed4533a61dc9
SHA2561e48adc3cbf0daac957f5187b371419c17d32872272785d0948a608a22c00069
SHA5126e179c66d46b082d8c7da6b954281f09ec3a9b378b7a18ea81b05a70c5a67943a7d4e0e7ec4cb072d876ec37da6dace7e09ddc55a376622991727aff73b5e0ee
-
MD5
468f6e80d39e3efc53faffeadaac7700
SHA14fd2e6cb472c9ec3f186e890e647ed4533a61dc9
SHA2561e48adc3cbf0daac957f5187b371419c17d32872272785d0948a608a22c00069
SHA5126e179c66d46b082d8c7da6b954281f09ec3a9b378b7a18ea81b05a70c5a67943a7d4e0e7ec4cb072d876ec37da6dace7e09ddc55a376622991727aff73b5e0ee