Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2023 00:49
Behavioral task
behavioral1
Sample
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe
-
Size
332KB
-
MD5
d29cfdc70c8949ea1d67ed359d7581b0
-
SHA1
eb0936510b7ed535779555eeaf54f76c73741a7d
-
SHA256
594d2edd96beec439fadf83aa7f1f3167481f00251b9f9b7cdb2f8af2cfae10f
-
SHA512
9c3fb4f8e89f99aa7f50f4c03e69a0535beaa5bba64c9674e64566f829b108cad96780f771cc0dab99cf4da5618b11cd743b2206f53bfb782e3c9f42ae5c376e
-
SSDEEP
6144:Nj9c2WYd30BKmiPVpU3ypIPr3D3StNynyS/i:NSI2HG
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 4664 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.execmd.exedescription pid process target process PID 1204 wrote to memory of 4664 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 1204 wrote to memory of 4664 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 1204 wrote to memory of 4664 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe AdobeUpdate.exe PID 1204 wrote to memory of 2092 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 1204 wrote to memory of 2092 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 1204 wrote to memory of 2092 1204 NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe cmd.exe PID 2092 wrote to memory of 3256 2092 cmd.exe PING.EXE PID 2092 wrote to memory of 3256 2092 cmd.exe PING.EXE PID 2092 wrote to memory of 3256 2092 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.d29cfdc70c8949ea1d67ed359d7581b0_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD584e83633f6c989fe63759a90551719fc
SHA141306078b6de47d7da17ba6e6d21c492cd2e2d5a
SHA256acbf84a9c956a64cd08e736bc2cd9b3a847de2ff73fc592bc0146e4b7b843c56
SHA5126b5ee99dd5a6b658f068e2f9397bcad71675fcd3a670e76cf9a0d54efa639a5d40d2f915a7ab7f9f99ea7ac2e27263ccc494daf062644fefb7539e890111d89d
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
332KB
MD584e83633f6c989fe63759a90551719fc
SHA141306078b6de47d7da17ba6e6d21c492cd2e2d5a
SHA256acbf84a9c956a64cd08e736bc2cd9b3a847de2ff73fc592bc0146e4b7b843c56
SHA5126b5ee99dd5a6b658f068e2f9397bcad71675fcd3a670e76cf9a0d54efa639a5d40d2f915a7ab7f9f99ea7ac2e27263ccc494daf062644fefb7539e890111d89d