Analysis
-
max time kernel
120s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 00:21
Behavioral task
behavioral1
Sample
ed9f64044aa25abc28fa4340eb9337e6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ed9f64044aa25abc28fa4340eb9337e6.exe
Resource
win10v2004-20220812-en
General
-
Target
ed9f64044aa25abc28fa4340eb9337e6.exe
-
Size
101KB
-
MD5
ed9f64044aa25abc28fa4340eb9337e6
-
SHA1
48c080fcebecc62a3eeff603cec5f5b1de1108b4
-
SHA256
de1241f331f48e829e0a632c29c59f63662d180afb8e88bc42bdf959e4333b1d
-
SHA512
d046ac3880aea6d3b70e1cdbb24c5c88649e8e42705680d65f8c266805cdfb5b9ff218a5dcb76d8d7011b07b55db128fd4e65fba0a6c26a338a4b4cb59519ce6
-
SSDEEP
1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrGPTEzV:/bfVk29te2jqxCEtg30BibEB
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1164 AdobeUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed9f64044aa25abc28fa4340eb9337e6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ed9f64044aa25abc28fa4340eb9337e6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ed9f64044aa25abc28fa4340eb9337e6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" ed9f64044aa25abc28fa4340eb9337e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ed9f64044aa25abc28fa4340eb9337e6.exedescription pid process Token: SeIncBasePriorityPrivilege 396 ed9f64044aa25abc28fa4340eb9337e6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ed9f64044aa25abc28fa4340eb9337e6.execmd.exedescription pid process target process PID 396 wrote to memory of 1164 396 ed9f64044aa25abc28fa4340eb9337e6.exe AdobeUpdate.exe PID 396 wrote to memory of 1164 396 ed9f64044aa25abc28fa4340eb9337e6.exe AdobeUpdate.exe PID 396 wrote to memory of 1164 396 ed9f64044aa25abc28fa4340eb9337e6.exe AdobeUpdate.exe PID 396 wrote to memory of 3384 396 ed9f64044aa25abc28fa4340eb9337e6.exe cmd.exe PID 396 wrote to memory of 3384 396 ed9f64044aa25abc28fa4340eb9337e6.exe cmd.exe PID 396 wrote to memory of 3384 396 ed9f64044aa25abc28fa4340eb9337e6.exe cmd.exe PID 3384 wrote to memory of 2680 3384 cmd.exe PING.EXE PID 3384 wrote to memory of 2680 3384 cmd.exe PING.EXE PID 3384 wrote to memory of 2680 3384 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ed9f64044aa25abc28fa4340eb9337e6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD54386b50958d08b1079126e33301deaa1
SHA1379b306a869b3ef304de0e89ed3f8d3aa86be0ff
SHA256857853346db45d003091675ca9bbabf60cbff02161b21d6a23d1f4cf89be8988
SHA51287d6b54396759d86403bf4e42d48bef5486bd78901419a2d9189442cd0f960fef2949fe1be65e806d979d520633ef5dc4a57aeeb4238562f6315a9056fc6cee4
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD54386b50958d08b1079126e33301deaa1
SHA1379b306a869b3ef304de0e89ed3f8d3aa86be0ff
SHA256857853346db45d003091675ca9bbabf60cbff02161b21d6a23d1f4cf89be8988
SHA51287d6b54396759d86403bf4e42d48bef5486bd78901419a2d9189442cd0f960fef2949fe1be65e806d979d520633ef5dc4a57aeeb4238562f6315a9056fc6cee4
-
memory/1164-132-0x0000000000000000-mapping.dmp
-
memory/2680-136-0x0000000000000000-mapping.dmp
-
memory/3384-135-0x0000000000000000-mapping.dmp