Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 00:59
Static task
static1
Behavioral task
behavioral1
Sample
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe
Resource
win10-en-20211208
General
-
Target
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe
-
Size
92KB
-
MD5
0a2c6265a65a25e9bef80f55cdd62229
-
SHA1
fbead56bcbc0a8a63b744ca37a98a6523945295e
-
SHA256
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4
-
SHA512
70e6f2f75cb7e38bc774b40d3dcc92a11c8701014d0c2e0ff6260017562b0cbf62a0cff1897cf0731bc319caafff47dd1b5dfe19cac1bb6a201760902e973651
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 3916 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exedescription pid process Token: SeIncBasePriorityPrivilege 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.execmd.exedescription pid process target process PID 2508 wrote to memory of 3916 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe AdobeUpdate.exe PID 2508 wrote to memory of 3916 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe AdobeUpdate.exe PID 2508 wrote to memory of 3916 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe AdobeUpdate.exe PID 2508 wrote to memory of 8 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe cmd.exe PID 2508 wrote to memory of 8 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe cmd.exe PID 2508 wrote to memory of 8 2508 731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe cmd.exe PID 8 wrote to memory of 2288 8 cmd.exe PING.EXE PID 8 wrote to memory of 2288 8 cmd.exe PING.EXE PID 8 wrote to memory of 2288 8 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe"C:\Users\Admin\AppData\Local\Temp\731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\731ef5fc57a5669b09af844c8c401efe9aac51f88dea756d851e9908c63995b4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
39e662fccae873dc7d9af0df8430482f
SHA1b664a427dd66e77072e1ac030eb95d233504a784
SHA2563da9e886aac755652fcef05cf25225af63afaaa82d4f6633bd025c9b9ac1a378
SHA512ee33fe71cded5883626cf22b1d14053d3d278c45131ecd5d7e6f8049000be4c2d9ffec200c24d9aeb92b7e4365bacbda713cf94e14e6bf41698a4de729d9ccf8
-
MD5
39e662fccae873dc7d9af0df8430482f
SHA1b664a427dd66e77072e1ac030eb95d233504a784
SHA2563da9e886aac755652fcef05cf25225af63afaaa82d4f6633bd025c9b9ac1a378
SHA512ee33fe71cded5883626cf22b1d14053d3d278c45131ecd5d7e6f8049000be4c2d9ffec200c24d9aeb92b7e4365bacbda713cf94e14e6bf41698a4de729d9ccf8