Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 21:49
Behavioral task
behavioral1
Sample
82b565fa498294072fe2935c5f222301_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
82b565fa498294072fe2935c5f222301_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
82b565fa498294072fe2935c5f222301_JC.exe
-
Size
101KB
-
MD5
82b565fa498294072fe2935c5f222301
-
SHA1
1443cf64bf5c628a0a1676281ce121427831f874
-
SHA256
39695dc410cc3fc588b1bb1623051485ceca6bf0f945ffd75cd5346b0d387095
-
SHA512
b0a59103d1301aa931f7543c0fbad147eaaaf53dc8e97b93f9bfe4e7c2bf30492ed1bee8cdcfc1b656d75aad6fe30f12791f1b122bc56d75905f41107bbaba21
-
SSDEEP
1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzA:/bfVk29te2jqxCEtg30BLbEM
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82b565fa498294072fe2935c5f222301_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 82b565fa498294072fe2935c5f222301_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 3940 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
82b565fa498294072fe2935c5f222301_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 82b565fa498294072fe2935c5f222301_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
82b565fa498294072fe2935c5f222301_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 4964 82b565fa498294072fe2935c5f222301_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
82b565fa498294072fe2935c5f222301_JC.execmd.exedescription pid process target process PID 4964 wrote to memory of 3940 4964 82b565fa498294072fe2935c5f222301_JC.exe AdobeUpdate.exe PID 4964 wrote to memory of 3940 4964 82b565fa498294072fe2935c5f222301_JC.exe AdobeUpdate.exe PID 4964 wrote to memory of 3940 4964 82b565fa498294072fe2935c5f222301_JC.exe AdobeUpdate.exe PID 4964 wrote to memory of 3960 4964 82b565fa498294072fe2935c5f222301_JC.exe cmd.exe PID 4964 wrote to memory of 3960 4964 82b565fa498294072fe2935c5f222301_JC.exe cmd.exe PID 4964 wrote to memory of 3960 4964 82b565fa498294072fe2935c5f222301_JC.exe cmd.exe PID 3960 wrote to memory of 4512 3960 cmd.exe PING.EXE PID 3960 wrote to memory of 4512 3960 cmd.exe PING.EXE PID 3960 wrote to memory of 4512 3960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\82b565fa498294072fe2935c5f222301_JC.exe"C:\Users\Admin\AppData\Local\Temp\82b565fa498294072fe2935c5f222301_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\82b565fa498294072fe2935c5f222301_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD595abee92b145c342fdb9a98777e9d00b
SHA1ab062644b4688d98f9b1ab7bf0989c92d46f1fab
SHA2562099c6a7a61813856e05b7ab2d9c1f2f13bcb0383ea489f00b89255021ceab39
SHA5123ab6dee3bc998d54d2ba6d2937bd3c775a4b671a7ca0e046f30e84824b07ef4479b1125f80ab73acbbae6eb72a11acebea03cd8b4de5719247e969daf25d0b9f
-
Filesize
101KB
MD595abee92b145c342fdb9a98777e9d00b
SHA1ab062644b4688d98f9b1ab7bf0989c92d46f1fab
SHA2562099c6a7a61813856e05b7ab2d9c1f2f13bcb0383ea489f00b89255021ceab39
SHA5123ab6dee3bc998d54d2ba6d2937bd3c775a4b671a7ca0e046f30e84824b07ef4479b1125f80ab73acbbae6eb72a11acebea03cd8b4de5719247e969daf25d0b9f