Analysis
-
max time kernel
129s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2023 20:58
Behavioral task
behavioral1
Sample
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe
-
Size
92KB
-
MD5
280b4761b5389061dc7bf992a83c11d0
-
SHA1
fa613d403ed14ebd384fcc6ed986b442b0e443be
-
SHA256
1ca4d91b8df358b7d3fbf7c96ef104328554608de7892e05fb8c81474112ffcd
-
SHA512
20f55909fa7ee67c60e12e7f537520c3dbbca7934d2c74d15505e9982b3dcd2fc3d61fb7905442236c9d6d201448e0e631574c75649a4d84f51b71dbb19c1afc
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrs:9bfVk29te2jqxCEtg30BA
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 4408 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.280b4761b5389061dc7bf992a83c11d0_JC.execmd.exedescription pid process target process PID 700 wrote to memory of 4408 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 700 wrote to memory of 4408 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 700 wrote to memory of 4408 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe AdobeUpdate.exe PID 700 wrote to memory of 4316 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 700 wrote to memory of 4316 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 700 wrote to memory of 4316 700 NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe cmd.exe PID 4316 wrote to memory of 4816 4316 cmd.exe PING.EXE PID 4316 wrote to memory of 4816 4316 cmd.exe PING.EXE PID 4316 wrote to memory of 4816 4316 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.280b4761b5389061dc7bf992a83c11d0_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5bf03afa38629d617aff58a0bd255bd62
SHA1568a1077f1041939802a6d373570c60b25328a9e
SHA256f12392b35076a3a10227dc71f29b63c7441f40c519fc8d6c548c667cb6a5be6d
SHA51295f823a8de821c5a6e3081040cdf872279841956458454710884943d6bbd60f825dcf07b1598de377cf0af8671059ed1118b04fae6e55535db9f654179d6140e
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5bf03afa38629d617aff58a0bd255bd62
SHA1568a1077f1041939802a6d373570c60b25328a9e
SHA256f12392b35076a3a10227dc71f29b63c7441f40c519fc8d6c548c667cb6a5be6d
SHA51295f823a8de821c5a6e3081040cdf872279841956458454710884943d6bbd60f825dcf07b1598de377cf0af8671059ed1118b04fae6e55535db9f654179d6140e