Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 20:32
Behavioral task
behavioral1
Sample
NEAS.9db08939eb0df4981c39f473f33f7e40.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.9db08939eb0df4981c39f473f33f7e40.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.9db08939eb0df4981c39f473f33f7e40.exe
-
Size
332KB
-
MD5
9db08939eb0df4981c39f473f33f7e40
-
SHA1
e4a86ea0f7a4327ae9fd064215c4daccd0cf1752
-
SHA256
15f908c24d99451d90104938685ca2513df8564172635325f4b9754f9c8220c1
-
SHA512
be4789b0120f38ee925708a327f860fdc866a88668285d1010abb7be51b9700c64c47f3439e0fa38f5462f719ca27e313adb60f36fd950b4a318b70863b40e98
-
SSDEEP
6144:Nj9c2WYd30BKmiPVpU3ypIPr3D3StNynyS/i:NSI2Hu
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.9db08939eb0df4981c39f473f33f7e40.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation NEAS.9db08939eb0df4981c39f473f33f7e40.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 5096 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.9db08939eb0df4981c39f473f33f7e40.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.9db08939eb0df4981c39f473f33f7e40.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.9db08939eb0df4981c39f473f33f7e40.exedescription pid process Token: SeIncBasePriorityPrivilege 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.9db08939eb0df4981c39f473f33f7e40.execmd.exedescription pid process target process PID 428 wrote to memory of 5096 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe AdobeUpdate.exe PID 428 wrote to memory of 5096 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe AdobeUpdate.exe PID 428 wrote to memory of 5096 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe AdobeUpdate.exe PID 428 wrote to memory of 4024 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe cmd.exe PID 428 wrote to memory of 4024 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe cmd.exe PID 428 wrote to memory of 4024 428 NEAS.9db08939eb0df4981c39f473f33f7e40.exe cmd.exe PID 4024 wrote to memory of 4696 4024 cmd.exe PING.EXE PID 4024 wrote to memory of 4696 4024 cmd.exe PING.EXE PID 4024 wrote to memory of 4696 4024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9db08939eb0df4981c39f473f33f7e40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9db08939eb0df4981c39f473f33f7e40.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.9db08939eb0df4981c39f473f33f7e40.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52db2d2c053757565931ad0d50399fa43
SHA18b7ca80d59c7af8a692c3cf89d7f8d2b162566f2
SHA25693ac2a79e310be8d6e0df6b33182df2f06bbc677b1a6d4c889a4b34393d67503
SHA5120311aefd5f54fb01f44dc4fc1a714116e071c4a80a98634e62e6b345ad6347385c152d63489555129659c1085aa7f73b2e819738dac1e971eeb6d32cb21a4c31
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52db2d2c053757565931ad0d50399fa43
SHA18b7ca80d59c7af8a692c3cf89d7f8d2b162566f2
SHA25693ac2a79e310be8d6e0df6b33182df2f06bbc677b1a6d4c889a4b34393d67503
SHA5120311aefd5f54fb01f44dc4fc1a714116e071c4a80a98634e62e6b345ad6347385c152d63489555129659c1085aa7f73b2e819738dac1e971eeb6d32cb21a4c31