Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 01:54
Static task
static1
Behavioral task
behavioral1
Sample
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe
Resource
win10v2004-20220414-en
General
-
Target
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe
-
Size
332KB
-
MD5
36a394bb4967fe95454237d33f1e40cc
-
SHA1
e623ae5c006b7906373d38bcdfd4913fe1ac2e25
-
SHA256
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb
-
SHA512
579e85e2adbc555b7fb29a42b35f424575b551078ba75d62f5a934032ea2df74e346039f6c6f2e1d1727beedf7d9a00604347d70840358eab72d4e813bcbdde0
Malware Config
Signatures
-
Sakula Payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
suricata: ET MALWARE SUSPICIOUS UA (iexplore)
-
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
suricata: ET MALWARE Sakula/Mivast RAT CnC Beacon 1
-
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1764 AdobeUpdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1284 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exeAdobeUpdate.exepid process 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe 1764 AdobeUpdate.exe 1764 AdobeUpdate.exe 1764 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exedescription pid process Token: SeIncBasePriorityPrivilege 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.execmd.exedescription pid process target process PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1764 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe AdobeUpdate.exe PID 1096 wrote to memory of 1284 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe cmd.exe PID 1096 wrote to memory of 1284 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe cmd.exe PID 1096 wrote to memory of 1284 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe cmd.exe PID 1096 wrote to memory of 1284 1096 af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe cmd.exe PID 1284 wrote to memory of 796 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 796 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 796 1284 cmd.exe PING.EXE PID 1284 wrote to memory of 796 1284 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe"C:\Users\Admin\AppData\Local\Temp\af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\af6c0a194927e589cd5b99c54cd6b7f287aee2944fdf4e11e734242719a05deb.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD54e6d39bc282b8fd4e19daba1e28a8356
SHA12e8b84229576ee1762902110c39cc3fa1e9c47b2
SHA256ab195983c7b24bbce1977f85a9a64d01177eb4fda06349e6bc8eaee22c11bbd5
SHA512c51476e89c36cc83c6300c8ff44ae384ba9a2939857d8dad192d43bff9f64218a49f996b8e1b15adbbb40ee22733db08d5bc904e4e197a609235a062ebdeb7bb
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD54e6d39bc282b8fd4e19daba1e28a8356
SHA12e8b84229576ee1762902110c39cc3fa1e9c47b2
SHA256ab195983c7b24bbce1977f85a9a64d01177eb4fda06349e6bc8eaee22c11bbd5
SHA512c51476e89c36cc83c6300c8ff44ae384ba9a2939857d8dad192d43bff9f64218a49f996b8e1b15adbbb40ee22733db08d5bc904e4e197a609235a062ebdeb7bb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD54e6d39bc282b8fd4e19daba1e28a8356
SHA12e8b84229576ee1762902110c39cc3fa1e9c47b2
SHA256ab195983c7b24bbce1977f85a9a64d01177eb4fda06349e6bc8eaee22c11bbd5
SHA512c51476e89c36cc83c6300c8ff44ae384ba9a2939857d8dad192d43bff9f64218a49f996b8e1b15adbbb40ee22733db08d5bc904e4e197a609235a062ebdeb7bb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD54e6d39bc282b8fd4e19daba1e28a8356
SHA12e8b84229576ee1762902110c39cc3fa1e9c47b2
SHA256ab195983c7b24bbce1977f85a9a64d01177eb4fda06349e6bc8eaee22c11bbd5
SHA512c51476e89c36cc83c6300c8ff44ae384ba9a2939857d8dad192d43bff9f64218a49f996b8e1b15adbbb40ee22733db08d5bc904e4e197a609235a062ebdeb7bb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD54e6d39bc282b8fd4e19daba1e28a8356
SHA12e8b84229576ee1762902110c39cc3fa1e9c47b2
SHA256ab195983c7b24bbce1977f85a9a64d01177eb4fda06349e6bc8eaee22c11bbd5
SHA512c51476e89c36cc83c6300c8ff44ae384ba9a2939857d8dad192d43bff9f64218a49f996b8e1b15adbbb40ee22733db08d5bc904e4e197a609235a062ebdeb7bb
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD54e6d39bc282b8fd4e19daba1e28a8356
SHA12e8b84229576ee1762902110c39cc3fa1e9c47b2
SHA256ab195983c7b24bbce1977f85a9a64d01177eb4fda06349e6bc8eaee22c11bbd5
SHA512c51476e89c36cc83c6300c8ff44ae384ba9a2939857d8dad192d43bff9f64218a49f996b8e1b15adbbb40ee22733db08d5bc904e4e197a609235a062ebdeb7bb
-
memory/796-64-0x0000000000000000-mapping.dmp
-
memory/1096-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1284-63-0x0000000000000000-mapping.dmp
-
memory/1764-56-0x0000000000000000-mapping.dmp