Analysis
-
max time kernel
160s -
max time network
168s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe
Resource
win10-en-20211208
General
-
Target
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe
-
Size
92KB
-
MD5
1077a39788e88dbf07c0b6ef3f143fd4
-
SHA1
3c334b391a955e6c59c66a991475c96807233b9c
-
SHA256
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742
-
SHA512
c5a57b3fb5461659f4fe078512681e445a45869d13b9a472f0dd6118e7fa893824c56af6790535eb1828a29be8b6042ac99ca3c19306ace295351b2fc9b7df1a
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 3644 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exedescription pid process Token: SeIncBasePriorityPrivilege 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.execmd.exedescription pid process target process PID 3440 wrote to memory of 3644 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe AdobeUpdate.exe PID 3440 wrote to memory of 3644 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe AdobeUpdate.exe PID 3440 wrote to memory of 3644 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe AdobeUpdate.exe PID 3440 wrote to memory of 4212 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe cmd.exe PID 3440 wrote to memory of 4212 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe cmd.exe PID 3440 wrote to memory of 4212 3440 e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe cmd.exe PID 4212 wrote to memory of 4164 4212 cmd.exe PING.EXE PID 4212 wrote to memory of 4164 4212 cmd.exe PING.EXE PID 4212 wrote to memory of 4164 4212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe"C:\Users\Admin\AppData\Local\Temp\e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\e6a9c9c5d3786c4fea54121ee5b6bd5fe0da555e8aaaf7f327870fbd7279c742.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5827d57c506a943c4b4011209af40371
SHA11d22e4d82251a853efe7765258922c9ecceb8602
SHA256b76dbe7c0700ba5bc17a6f2a210d93e72a37e439f425b9b8edcd73ce7b28c093
SHA5121539c68ed57bd71d9af11df68b86161c0d615b492179bd4e711dfa72dbd0fb3eb4d2a108f047a653403bd715ae0f41af859f83bbd5e1b6824e232d34dab4931a
-
MD5
5827d57c506a943c4b4011209af40371
SHA11d22e4d82251a853efe7765258922c9ecceb8602
SHA256b76dbe7c0700ba5bc17a6f2a210d93e72a37e439f425b9b8edcd73ce7b28c093
SHA5121539c68ed57bd71d9af11df68b86161c0d615b492179bd4e711dfa72dbd0fb3eb4d2a108f047a653403bd715ae0f41af859f83bbd5e1b6824e232d34dab4931a