Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 15:29
Behavioral task
behavioral1
Sample
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe
Resource
win10v2004-20220812-en
General
-
Target
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe
-
Size
101KB
-
MD5
f96fcbf8a58763beb2d7da2d4d30459e
-
SHA1
0839a4442b9f4ccd10c8c66c8c585eec9fbd7def
-
SHA256
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27
-
SHA512
0fd67dc2a891ef94ff6d07443cfaa655e9f9b1ecd268dee699f89452f304c638711d3d2210ebb6c4bb1230f29b4b9a379738fcf4a0d4fa75372a8bbb35e678ab
-
SSDEEP
1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzk:/bfVk29te2jqxCEtg30BLbEw
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 4892 AdobeUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exedescription pid process Token: SeIncBasePriorityPrivilege 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.execmd.exedescription pid process target process PID 1392 wrote to memory of 4892 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe AdobeUpdate.exe PID 1392 wrote to memory of 4892 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe AdobeUpdate.exe PID 1392 wrote to memory of 4892 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe AdobeUpdate.exe PID 1392 wrote to memory of 1704 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe cmd.exe PID 1392 wrote to memory of 1704 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe cmd.exe PID 1392 wrote to memory of 1704 1392 13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe cmd.exe PID 1704 wrote to memory of 1864 1704 cmd.exe PING.EXE PID 1704 wrote to memory of 1864 1704 cmd.exe PING.EXE PID 1704 wrote to memory of 1864 1704 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe"C:\Users\Admin\AppData\Local\Temp\13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\13d4d6d42f009d0da238938089c0ca3c6a49b465ba8650ea8b2cb1a003c9af27.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5eb36cad2029606e54a01f5d46b30f24d
SHA1f51dbd76d80794635a9e542a980f4d3ea4084d97
SHA2569dd71bc2681f2e915cfc60bc92921198f29563cd55b4a26a9458b61b0b0e8e68
SHA51256b8f5117477b70de46acb2faecbfe9de30e4c7f7945c2de0030c11aca01210b2a48fec8ec99f10fc32f2e811a383fcfe2d8d5ad32fdb4ff2879290074c9c547
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5eb36cad2029606e54a01f5d46b30f24d
SHA1f51dbd76d80794635a9e542a980f4d3ea4084d97
SHA2569dd71bc2681f2e915cfc60bc92921198f29563cd55b4a26a9458b61b0b0e8e68
SHA51256b8f5117477b70de46acb2faecbfe9de30e4c7f7945c2de0030c11aca01210b2a48fec8ec99f10fc32f2e811a383fcfe2d8d5ad32fdb4ff2879290074c9c547
-
memory/1704-135-0x0000000000000000-mapping.dmp
-
memory/1864-136-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x0000000000000000-mapping.dmp