Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
19-10-2023 00:49
Behavioral task
behavioral1
Sample
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe
-
Size
332KB
-
MD5
d29cfdc70c8949ea1d67ed359d7581b0
-
SHA1
eb0936510b7ed535779555eeaf54f76c73741a7d
-
SHA256
594d2edd96beec439fadf83aa7f1f3167481f00251b9f9b7cdb2f8af2cfae10f
-
SHA512
9c3fb4f8e89f99aa7f50f4c03e69a0535beaa5bba64c9674e64566f829b108cad96780f771cc0dab99cf4da5618b11cd743b2206f53bfb782e3c9f42ae5c376e
-
SSDEEP
6144:Nj9c2WYd30BKmiPVpU3ypIPr3D3StNynyS/i:NSI2HG
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2704 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1692 AdobeUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exeAdobeUpdate.exepid process 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe 1692 AdobeUpdate.exe 1692 AdobeUpdate.exe 1692 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.execmd.exedescription pid process target process PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 1692 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 3028 wrote to memory of 2704 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 3028 wrote to memory of 2704 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 3028 wrote to memory of 2704 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 3028 wrote to memory of 2704 3028 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 2704 wrote to memory of 2272 2704 cmd.exe PING.EXE PID 2704 wrote to memory of 2272 2704 cmd.exe PING.EXE PID 2704 wrote to memory of 2272 2704 cmd.exe PING.EXE PID 2704 wrote to memory of 2272 2704 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52651697fba2ede4724badc6090766e82
SHA14ac8180230be320833f3ce3006ed69cf41aee596
SHA2560ce5fb35401acf61d41fbdf6b4e0fa53664a7cf71de8dc685ee4b1e5cd9fd836
SHA512d1f203a97a83cce1efcf33ab9359b462e3c526a1970b930645a7c280d9e7f83f037bbeb02acffea96294bccf0360b2da1ad2dbbb5e2f4d0e7dd0ff3a4be70302
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52651697fba2ede4724badc6090766e82
SHA14ac8180230be320833f3ce3006ed69cf41aee596
SHA2560ce5fb35401acf61d41fbdf6b4e0fa53664a7cf71de8dc685ee4b1e5cd9fd836
SHA512d1f203a97a83cce1efcf33ab9359b462e3c526a1970b930645a7c280d9e7f83f037bbeb02acffea96294bccf0360b2da1ad2dbbb5e2f4d0e7dd0ff3a4be70302
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52651697fba2ede4724badc6090766e82
SHA14ac8180230be320833f3ce3006ed69cf41aee596
SHA2560ce5fb35401acf61d41fbdf6b4e0fa53664a7cf71de8dc685ee4b1e5cd9fd836
SHA512d1f203a97a83cce1efcf33ab9359b462e3c526a1970b930645a7c280d9e7f83f037bbeb02acffea96294bccf0360b2da1ad2dbbb5e2f4d0e7dd0ff3a4be70302
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52651697fba2ede4724badc6090766e82
SHA14ac8180230be320833f3ce3006ed69cf41aee596
SHA2560ce5fb35401acf61d41fbdf6b4e0fa53664a7cf71de8dc685ee4b1e5cd9fd836
SHA512d1f203a97a83cce1efcf33ab9359b462e3c526a1970b930645a7c280d9e7f83f037bbeb02acffea96294bccf0360b2da1ad2dbbb5e2f4d0e7dd0ff3a4be70302
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52651697fba2ede4724badc6090766e82
SHA14ac8180230be320833f3ce3006ed69cf41aee596
SHA2560ce5fb35401acf61d41fbdf6b4e0fa53664a7cf71de8dc685ee4b1e5cd9fd836
SHA512d1f203a97a83cce1efcf33ab9359b462e3c526a1970b930645a7c280d9e7f83f037bbeb02acffea96294bccf0360b2da1ad2dbbb5e2f4d0e7dd0ff3a4be70302
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD52651697fba2ede4724badc6090766e82
SHA14ac8180230be320833f3ce3006ed69cf41aee596
SHA2560ce5fb35401acf61d41fbdf6b4e0fa53664a7cf71de8dc685ee4b1e5cd9fd836
SHA512d1f203a97a83cce1efcf33ab9359b462e3c526a1970b930645a7c280d9e7f83f037bbeb02acffea96294bccf0360b2da1ad2dbbb5e2f4d0e7dd0ff3a4be70302