Analysis
-
max time kernel
130s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15-10-2023 19:41
Behavioral task
behavioral1
Sample
996d9a8ea67e8a858088141a60696ee0_exe32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
996d9a8ea67e8a858088141a60696ee0_exe32.exe
Resource
win10v2004-20230915-en
General
-
Target
996d9a8ea67e8a858088141a60696ee0_exe32.exe
-
Size
92KB
-
MD5
996d9a8ea67e8a858088141a60696ee0
-
SHA1
25634ffc25848e82eee22312140acccd1d145d43
-
SHA256
5427f52a114956785f0ed84d43b5ca4fa093fd8ac1bc2c9e663167e1b8876096
-
SHA512
5a6fab891a6d54d423618930ddfd1d6a69917370e5458f9b3f0125ee126f505db6167f70bfc249d6ee6760fe556b6303097e4daf811d5a54f2790a93b524638f
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrW:9bfVk29te2jqxCEtg30Bi
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2780 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 2056 AdobeUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
996d9a8ea67e8a858088141a60696ee0_exe32.exeAdobeUpdate.exepid process 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe 2056 AdobeUpdate.exe 2056 AdobeUpdate.exe 2056 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
996d9a8ea67e8a858088141a60696ee0_exe32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" 996d9a8ea67e8a858088141a60696ee0_exe32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
996d9a8ea67e8a858088141a60696ee0_exe32.exedescription pid process Token: SeIncBasePriorityPrivilege 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
996d9a8ea67e8a858088141a60696ee0_exe32.execmd.exedescription pid process target process PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2056 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe AdobeUpdate.exe PID 2452 wrote to memory of 2780 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe cmd.exe PID 2452 wrote to memory of 2780 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe cmd.exe PID 2452 wrote to memory of 2780 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe cmd.exe PID 2452 wrote to memory of 2780 2452 996d9a8ea67e8a858088141a60696ee0_exe32.exe cmd.exe PID 2780 wrote to memory of 2636 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2636 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2636 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2636 2780 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\996d9a8ea67e8a858088141a60696ee0_exe32.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5a80c6cf399331249aa887ec92e7bd258
SHA182c2fbe51708b48fc0007ded179796259eb6c5b4
SHA2564e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5a80c6cf399331249aa887ec92e7bd258
SHA182c2fbe51708b48fc0007ded179796259eb6c5b4
SHA2564e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5a80c6cf399331249aa887ec92e7bd258
SHA182c2fbe51708b48fc0007ded179796259eb6c5b4
SHA2564e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5a80c6cf399331249aa887ec92e7bd258
SHA182c2fbe51708b48fc0007ded179796259eb6c5b4
SHA2564e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5a80c6cf399331249aa887ec92e7bd258
SHA182c2fbe51708b48fc0007ded179796259eb6c5b4
SHA2564e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5a80c6cf399331249aa887ec92e7bd258
SHA182c2fbe51708b48fc0007ded179796259eb6c5b4
SHA2564e8310ed5e45c9d03006430d5a1477d40e615f2e59ffaad7d6f65da2fc5e875d
SHA512d00e174f294645313147e7034cee208f6f14dd422afc6ce512d0274a3f8c2f83f123ac6faf1b302aad56aea6d0222c1fdbcfa06ecbf7ae727a5295559cc2d8a1