Analysis
-
max time kernel
112s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 01:42
Behavioral task
behavioral1
Sample
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
Resource
win10v2004-20220901-en
General
-
Target
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe
-
Size
101KB
-
MD5
9136918998cd24a1549e0b9ee1500024
-
SHA1
69e7a0f7026355e2279e7619a3d2dc375bcaceb2
-
SHA256
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244
-
SHA512
895314a3a3d822e4c938b6a1db0f3dcccab3fa5325b43b4b95f892b0b421ca7df8a3afbedf987e631eb3148bdca5d114c357a7bd560463037b3ffedbcd62368e
-
SSDEEP
1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrGPTEzl:/bfVk29te2jqxCEtg30BibEp
Malware Config
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 2584 AdobeUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exedescription pid process Token: SeIncBasePriorityPrivilege 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.execmd.exedescription pid process target process PID 4804 wrote to memory of 2584 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe AdobeUpdate.exe PID 4804 wrote to memory of 2584 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe AdobeUpdate.exe PID 4804 wrote to memory of 2584 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe AdobeUpdate.exe PID 4804 wrote to memory of 4788 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe cmd.exe PID 4804 wrote to memory of 4788 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe cmd.exe PID 4804 wrote to memory of 4788 4804 ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe cmd.exe PID 4788 wrote to memory of 4452 4788 cmd.exe PING.EXE PID 4788 wrote to memory of 4452 4788 cmd.exe PING.EXE PID 4788 wrote to memory of 4452 4788 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\ee18cb59987dc5e62d33ff9c1b6ae9169181b8046732924fa5f12e9c245c8244.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5f53f73bde73aa509e0c9875283a1774d
SHA1ab40fc6498982cad152135deadcfb9a6cf0c506f
SHA2563a591ad13fba6d937394119228c5fb9c410962099f5c81edfd744c2530b45f30
SHA512556386336eb501c9bc801e70b2ac3accfd172a15c9006af1fdee1c3543fffd64e653fd7cfc7b5b3608adc404775eaa644bee578b1c47111adddabfc9bfe6351a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5f53f73bde73aa509e0c9875283a1774d
SHA1ab40fc6498982cad152135deadcfb9a6cf0c506f
SHA2563a591ad13fba6d937394119228c5fb9c410962099f5c81edfd744c2530b45f30
SHA512556386336eb501c9bc801e70b2ac3accfd172a15c9006af1fdee1c3543fffd64e653fd7cfc7b5b3608adc404775eaa644bee578b1c47111adddabfc9bfe6351a
-
memory/2584-132-0x0000000000000000-mapping.dmp
-
memory/4452-136-0x0000000000000000-mapping.dmp
-
memory/4788-135-0x0000000000000000-mapping.dmp