Analysis
-
max time kernel
119s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:01
Static task
static1
Behavioral task
behavioral1
Sample
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe
Resource
win10-en-20211208
General
-
Target
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe
-
Size
92KB
-
MD5
2f23af251b8535e24614c11d706197c3
-
SHA1
5cf70dd003cb478ce983abb4d6662894048c0164
-
SHA256
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e
-
SHA512
804df86acc785bc4b5244e7d59479702134a1f0af2284d07948ab5cee6b87b922087921c58f0b8906f2e584455cf1f71f37e657779120f4480b14da242d501da
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 572 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exedescription pid process Token: SeIncBasePriorityPrivilege 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.execmd.exedescription pid process target process PID 3296 wrote to memory of 572 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 3296 wrote to memory of 572 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 3296 wrote to memory of 572 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe AdobeUpdate.exe PID 3296 wrote to memory of 788 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 3296 wrote to memory of 788 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 3296 wrote to memory of 788 3296 af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe cmd.exe PID 788 wrote to memory of 1788 788 cmd.exe PING.EXE PID 788 wrote to memory of 1788 788 cmd.exe PING.EXE PID 788 wrote to memory of 1788 788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe"C:\Users\Admin\AppData\Local\Temp\af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\af6d9de3a710432fa43cfbd99a24de2ce4716aaa9763edd3e773e4c969f6fe4e.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
02dd9fdbd01d26743fd9cae04676362e
SHA1c53707aea8c2dd9aa98bd415321ab2b940b2695d
SHA256c66d495dfd2372fbb9127984d7836167f0782d5342abbe069527e8630dfa7e42
SHA5128058a68cb8a82e37c9558dfe919a133f739f257921e9a31a3af17b10537706b18565e21c4de5156892e7c416611f4db69efbf34ea3fedb72a6a3b51bca70119c
-
MD5
02dd9fdbd01d26743fd9cae04676362e
SHA1c53707aea8c2dd9aa98bd415321ab2b940b2695d
SHA256c66d495dfd2372fbb9127984d7836167f0782d5342abbe069527e8630dfa7e42
SHA5128058a68cb8a82e37c9558dfe919a133f739f257921e9a31a3af17b10537706b18565e21c4de5156892e7c416611f4db69efbf34ea3fedb72a6a3b51bca70119c