Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:44
Static task
static1
Behavioral task
behavioral1
Sample
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
Resource
win10-en-20211208
General
-
Target
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe
-
Size
92KB
-
MD5
0f218e73da96af2939e75ebea7c958dc
-
SHA1
a20645513c85b2f8381b45245e58963698baf39b
-
SHA256
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3
-
SHA512
b3b57777849f7df472cc44b00dad8cdaef9354e9a5316a2c4de5d6972d5077e6faac0902b89284e3873d64c9dde5616ba15a556baeedfe53bbd0e41ee9858dee
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 3092 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exedescription pid process Token: SeIncBasePriorityPrivilege 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.execmd.exedescription pid process target process PID 528 wrote to memory of 3092 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 528 wrote to memory of 3092 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 528 wrote to memory of 3092 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe AdobeUpdate.exe PID 528 wrote to memory of 832 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 528 wrote to memory of 832 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 528 wrote to memory of 832 528 9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe cmd.exe PID 832 wrote to memory of 2112 832 cmd.exe PING.EXE PID 832 wrote to memory of 2112 832 cmd.exe PING.EXE PID 832 wrote to memory of 2112 832 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9723119a19a2fa3daa93d23ad98bb4c34e0747222a868648b2bfa392b3ad93f3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b90f11eb6463c64a3161056affc8d8cd
SHA17fa033073721cfc1efac60c8aeae6025700b3a3f
SHA25686b20b35be68ce380bac081f293a870818718c502c0a88d0e29cde67226627d1
SHA512bb9e7d665b82a847c4ded21a8b1a8c1c76e4c96d465976f8058adcba9f06b50f5f424a08ef48fbd72ec828e219f8003a5bf5e802fa40f5e9f15265b68337d3c3
-
MD5
b90f11eb6463c64a3161056affc8d8cd
SHA17fa033073721cfc1efac60c8aeae6025700b3a3f
SHA25686b20b35be68ce380bac081f293a870818718c502c0a88d0e29cde67226627d1
SHA512bb9e7d665b82a847c4ded21a8b1a8c1c76e4c96d465976f8058adcba9f06b50f5f424a08ef48fbd72ec828e219f8003a5bf5e802fa40f5e9f15265b68337d3c3