Analysis
-
max time kernel
175s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
31-05-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe
Resource
win10v2004-20220414-en
General
-
Target
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe
-
Size
92KB
-
MD5
072fda0cb4353d0b1d79d7d1cd56d3b0
-
SHA1
fd9cd128b7c45d059e3eddd01443c005f4c099e9
-
SHA256
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77
-
SHA512
e283710e84f494986d668900dadf8bf830c7e7bcf4040b2580881707f82388a7476eda7b77bf787fbd3e7ac257d04a35bc921da6d33852c8d2b9bd7e7e5604dd
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 444 AdobeUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exedescription pid process Token: SeIncBasePriorityPrivilege 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.execmd.exedescription pid process target process PID 4260 wrote to memory of 444 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe AdobeUpdate.exe PID 4260 wrote to memory of 444 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe AdobeUpdate.exe PID 4260 wrote to memory of 444 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe AdobeUpdate.exe PID 4260 wrote to memory of 2268 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe cmd.exe PID 4260 wrote to memory of 2268 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe cmd.exe PID 4260 wrote to memory of 2268 4260 fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe cmd.exe PID 2268 wrote to memory of 3120 2268 cmd.exe PING.EXE PID 2268 wrote to memory of 3120 2268 cmd.exe PING.EXE PID 2268 wrote to memory of 3120 2268 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe"C:\Users\Admin\AppData\Local\Temp\fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\fa084a7f1742b920fa3050bb3b4fd3f9953be1af35361717720bedd7d3a15d77.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD59fd3bb743e945a33f8c5f87b0f01aa5a
SHA1965de0404095cfdbad555eca29f7f6930f4251df
SHA256c711c82f93ccf053a05eaa1289a91e1cf6cd04824abf0f9b286e9abf2543c8c1
SHA512e4089b62215a7da9b20d0c189f0400717ab2de7e4212b6ee8da9788eda458be5e8bc2698ad8fd36952eb8c42bd58ede7d19b4c9320cafdb59a41205cbe3b617b
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD59fd3bb743e945a33f8c5f87b0f01aa5a
SHA1965de0404095cfdbad555eca29f7f6930f4251df
SHA256c711c82f93ccf053a05eaa1289a91e1cf6cd04824abf0f9b286e9abf2543c8c1
SHA512e4089b62215a7da9b20d0c189f0400717ab2de7e4212b6ee8da9788eda458be5e8bc2698ad8fd36952eb8c42bd58ede7d19b4c9320cafdb59a41205cbe3b617b
-
memory/444-130-0x0000000000000000-mapping.dmp
-
memory/2268-133-0x0000000000000000-mapping.dmp
-
memory/3120-134-0x0000000000000000-mapping.dmp