Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 00:44
Static task
static1
Behavioral task
behavioral1
Sample
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
Resource
win10-en-20211208
General
-
Target
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
-
Size
92KB
-
MD5
0f218e73da96af2939e75ebea7c958dc
-
SHA1
a20645513c85b2f8381b45245e58963698baf39b
-
SHA256
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3
-
SHA512
b3b57777849f7df472cc44b00dad8cdaef9354e9a5316a2c4de5d6972d5077e6faac0902b89284e3873d64c9dde5616ba15a556baeedfe53bbd0e41ee9858dee
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1456 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1652 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exeAdobeUpdate.exepid process 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe 1456 AdobeUpdate.exe 1456 AdobeUpdate.exe 1456 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exedescription pid process Token: SeIncBasePriorityPrivilege 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.execmd.exedescription pid process target process PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1456 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 1616 wrote to memory of 1652 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 1616 wrote to memory of 1652 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 1616 wrote to memory of 1652 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 1616 wrote to memory of 1652 1616 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 1140 1652 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
93b8c2fe509087d9b4482bb10326eb6f
SHA15bd9f0f382de51313245fba57fb7d3dd9e11b4f0
SHA256a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837
SHA512ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9
-
MD5
93b8c2fe509087d9b4482bb10326eb6f
SHA15bd9f0f382de51313245fba57fb7d3dd9e11b4f0
SHA256a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837
SHA512ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9
-
MD5
93b8c2fe509087d9b4482bb10326eb6f
SHA15bd9f0f382de51313245fba57fb7d3dd9e11b4f0
SHA256a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837
SHA512ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9
-
MD5
93b8c2fe509087d9b4482bb10326eb6f
SHA15bd9f0f382de51313245fba57fb7d3dd9e11b4f0
SHA256a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837
SHA512ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9
-
MD5
93b8c2fe509087d9b4482bb10326eb6f
SHA15bd9f0f382de51313245fba57fb7d3dd9e11b4f0
SHA256a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837
SHA512ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9
-
MD5
93b8c2fe509087d9b4482bb10326eb6f
SHA15bd9f0f382de51313245fba57fb7d3dd9e11b4f0
SHA256a031236e6a3d8517297d3075405596ac539d6a592b8578ad4c8de0b7cec56837
SHA512ca39c2cd8a3183a8c2d6bf1727444f36dd414f246f99b00e664ef3d2f87c71cdc1db2832c686ad2a200d4cb342f242f9dde12e9424fd4b25e1e9163a69b141a9