Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
17-10-2023 20:58
Behavioral task
behavioral1
Sample
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe
-
Size
92KB
-
MD5
280b4761b5389061dc7bf992a83c11d0
-
SHA1
fa613d403ed14ebd384fcc6ed986b442b0e443be
-
SHA256
1ca4d91b8df358b7d3fbf7c96ef104328554608de7892e05fb8c81474112ffcd
-
SHA512
20f55909fa7ee67c60e12e7f537520c3dbbca7934d2c74d15505e9982b3dcd2fc3d61fb7905442236c9d6d201448e0e631574c75649a4d84f51b71dbb19c1afc
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrs:9bfVk29te2jqxCEtg30BA
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2632 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 2068 AdobeUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exeAdobeUpdate.exepid process 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe 2068 AdobeUpdate.exe 2068 AdobeUpdate.exe 2068 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.execmd.exedescription pid process target process PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2068 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 2548 wrote to memory of 2632 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 2548 wrote to memory of 2632 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 2548 wrote to memory of 2632 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 2548 wrote to memory of 2632 2548 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 2632 wrote to memory of 1984 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 1984 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 1984 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 1984 2632 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5728442ada2d1ff477d5c3bd162735f41
SHA15d40c3cfd105d03164629f9b080a46970714270b
SHA256a252eaeb169b16f90171fb805a2f67cf34e021fec14f41f330e14607a1f21397
SHA512c60c36dd3d7210ff30ac20dcff4a2f9f8661f7ed386e4df2a25ba00efe48593fa47883c59c576cfa1e959105fee05e69fdfdb934f14aee8c53e6f042e78e7aea
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5728442ada2d1ff477d5c3bd162735f41
SHA15d40c3cfd105d03164629f9b080a46970714270b
SHA256a252eaeb169b16f90171fb805a2f67cf34e021fec14f41f330e14607a1f21397
SHA512c60c36dd3d7210ff30ac20dcff4a2f9f8661f7ed386e4df2a25ba00efe48593fa47883c59c576cfa1e959105fee05e69fdfdb934f14aee8c53e6f042e78e7aea
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5728442ada2d1ff477d5c3bd162735f41
SHA15d40c3cfd105d03164629f9b080a46970714270b
SHA256a252eaeb169b16f90171fb805a2f67cf34e021fec14f41f330e14607a1f21397
SHA512c60c36dd3d7210ff30ac20dcff4a2f9f8661f7ed386e4df2a25ba00efe48593fa47883c59c576cfa1e959105fee05e69fdfdb934f14aee8c53e6f042e78e7aea
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5728442ada2d1ff477d5c3bd162735f41
SHA15d40c3cfd105d03164629f9b080a46970714270b
SHA256a252eaeb169b16f90171fb805a2f67cf34e021fec14f41f330e14607a1f21397
SHA512c60c36dd3d7210ff30ac20dcff4a2f9f8661f7ed386e4df2a25ba00efe48593fa47883c59c576cfa1e959105fee05e69fdfdb934f14aee8c53e6f042e78e7aea
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5728442ada2d1ff477d5c3bd162735f41
SHA15d40c3cfd105d03164629f9b080a46970714270b
SHA256a252eaeb169b16f90171fb805a2f67cf34e021fec14f41f330e14607a1f21397
SHA512c60c36dd3d7210ff30ac20dcff4a2f9f8661f7ed386e4df2a25ba00efe48593fa47883c59c576cfa1e959105fee05e69fdfdb934f14aee8c53e6f042e78e7aea
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5728442ada2d1ff477d5c3bd162735f41
SHA15d40c3cfd105d03164629f9b080a46970714270b
SHA256a252eaeb169b16f90171fb805a2f67cf34e021fec14f41f330e14607a1f21397
SHA512c60c36dd3d7210ff30ac20dcff4a2f9f8661f7ed386e4df2a25ba00efe48593fa47883c59c576cfa1e959105fee05e69fdfdb934f14aee8c53e6f042e78e7aea