Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2023 22:33
Behavioral task
behavioral1
Sample
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe
-
Size
92KB
-
MD5
fe66ab5f04442c4cdc95bf3ac05183b0
-
SHA1
6e66dc054e53ba8cc4d467eab8f663d79bcc3ccf
-
SHA256
f6ff6b60a49cf3610da6921b2735d4b14b30e62a2abc291d3404342863d497bb
-
SHA512
2135bda00db36baa2f2b66092293cdf9ecf32a7378d1d9894aa9b45ac1ccc5e8676f1106d56c2f54c2e84420bfda5b3765ff64b0de4f44e395abf4dbf58aa7f9
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtr/:9bfVk29te2jqxCEtg30Bz
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 4524 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.execmd.exedescription pid process target process PID 232 wrote to memory of 4524 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe AdobeUpdate.exe PID 232 wrote to memory of 4524 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe AdobeUpdate.exe PID 232 wrote to memory of 4524 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe AdobeUpdate.exe PID 232 wrote to memory of 5104 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe cmd.exe PID 232 wrote to memory of 5104 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe cmd.exe PID 232 wrote to memory of 5104 232 NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe cmd.exe PID 5104 wrote to memory of 4020 5104 cmd.exe PING.EXE PID 5104 wrote to memory of 4020 5104 cmd.exe PING.EXE PID 5104 wrote to memory of 4020 5104 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.fe66ab5f04442c4cdc95bf3ac05183b0_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:4020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD519915f2eb188848b6a8a2868a6f54de0
SHA1fe7e28354b31797d63dea9740a1a59880ba898d6
SHA25613ba03bafb3928fb966a419c5a10d3d04166fe29c286de3f215a7c5bbc53af0a
SHA51253136eb460899c2312ac0cfb309802b29d897d67f1a3d3f11910b10b817542f4cb6009f28061c0ceab7cbf65efe8b9cd6eb70ff9602b78afd21c1d1c99c52dd9
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD519915f2eb188848b6a8a2868a6f54de0
SHA1fe7e28354b31797d63dea9740a1a59880ba898d6
SHA25613ba03bafb3928fb966a419c5a10d3d04166fe29c286de3f215a7c5bbc53af0a
SHA51253136eb460899c2312ac0cfb309802b29d897d67f1a3d3f11910b10b817542f4cb6009f28061c0ceab7cbf65efe8b9cd6eb70ff9602b78afd21c1d1c99c52dd9