Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 00:01
Static task
static1
Behavioral task
behavioral1
Sample
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe
Resource
win10-en-20211208
General
-
Target
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe
-
Size
92KB
-
MD5
2f23af251b8535e24614c11d706197c3
-
SHA1
5cf70dd003cb478ce983abb4d6662894048c0164
-
SHA256
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e
-
SHA512
804df86acc785bc4b5244e7d59479702134a1f0af2284d07948ab5cee6b87b922087921c58f0b8906f2e584455cf1f71f37e657779120f4480b14da242d501da
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1896 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1164 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exeAdobeUpdate.exepid process 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe 1896 AdobeUpdate.exe 1896 AdobeUpdate.exe 1896 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exedescription pid process Token: SeIncBasePriorityPrivilege 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.execmd.exedescription pid process target process PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1896 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 880 wrote to memory of 1164 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 880 wrote to memory of 1164 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 880 wrote to memory of 1164 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 880 wrote to memory of 1164 880 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 1164 wrote to memory of 1628 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1628 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1628 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 1628 1164 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe"C:\Users\Admin\AppData\Local\Temp\af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a00d8bb6384f76ddf025dc956a22c60d
SHA1d2590c11e0cd93b72037fc9bac1a84b5d6086fb9
SHA256536dd57bc62de24e4cacfe33a5b9de22955827eb9050635c6700ad8254528c1c
SHA51270d3cd6783f3711041c54c4d5ad4df36c6684bc63ad65b19c1dc7c52bf22e671b2eb5206ae7049f74997821a2c889664d7f3f60e8ff7a9fc0c6b57184985e466
-
MD5
a00d8bb6384f76ddf025dc956a22c60d
SHA1d2590c11e0cd93b72037fc9bac1a84b5d6086fb9
SHA256536dd57bc62de24e4cacfe33a5b9de22955827eb9050635c6700ad8254528c1c
SHA51270d3cd6783f3711041c54c4d5ad4df36c6684bc63ad65b19c1dc7c52bf22e671b2eb5206ae7049f74997821a2c889664d7f3f60e8ff7a9fc0c6b57184985e466
-
MD5
a00d8bb6384f76ddf025dc956a22c60d
SHA1d2590c11e0cd93b72037fc9bac1a84b5d6086fb9
SHA256536dd57bc62de24e4cacfe33a5b9de22955827eb9050635c6700ad8254528c1c
SHA51270d3cd6783f3711041c54c4d5ad4df36c6684bc63ad65b19c1dc7c52bf22e671b2eb5206ae7049f74997821a2c889664d7f3f60e8ff7a9fc0c6b57184985e466
-
MD5
a00d8bb6384f76ddf025dc956a22c60d
SHA1d2590c11e0cd93b72037fc9bac1a84b5d6086fb9
SHA256536dd57bc62de24e4cacfe33a5b9de22955827eb9050635c6700ad8254528c1c
SHA51270d3cd6783f3711041c54c4d5ad4df36c6684bc63ad65b19c1dc7c52bf22e671b2eb5206ae7049f74997821a2c889664d7f3f60e8ff7a9fc0c6b57184985e466
-
MD5
a00d8bb6384f76ddf025dc956a22c60d
SHA1d2590c11e0cd93b72037fc9bac1a84b5d6086fb9
SHA256536dd57bc62de24e4cacfe33a5b9de22955827eb9050635c6700ad8254528c1c
SHA51270d3cd6783f3711041c54c4d5ad4df36c6684bc63ad65b19c1dc7c52bf22e671b2eb5206ae7049f74997821a2c889664d7f3f60e8ff7a9fc0c6b57184985e466
-
MD5
a00d8bb6384f76ddf025dc956a22c60d
SHA1d2590c11e0cd93b72037fc9bac1a84b5d6086fb9
SHA256536dd57bc62de24e4cacfe33a5b9de22955827eb9050635c6700ad8254528c1c
SHA51270d3cd6783f3711041c54c4d5ad4df36c6684bc63ad65b19c1dc7c52bf22e671b2eb5206ae7049f74997821a2c889664d7f3f60e8ff7a9fc0c6b57184985e466