Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2023 17:53
Behavioral task
behavioral1
Sample
NEAS.d48e4414944271b84832328e97f68929.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.d48e4414944271b84832328e97f68929.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.d48e4414944271b84832328e97f68929.exe
-
Size
92KB
-
MD5
d48e4414944271b84832328e97f68929
-
SHA1
e16e458d8119b5976ce6a5db1633bb6414f718a1
-
SHA256
22efc0cd8cb03e570b474c550bf02e942be83beea9b8ae7cb7cce50e7c1ce00e
-
SHA512
b195b290ea332b74f0208ca235a10b266af180ac595e64a5364a7fa2bfe955e25e51181eff68670591f7d988da133c5f318d6ff08a8ed8898d538a251888d1a1
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrd:9bfVk29te2jqxCEtg30Bx
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.d48e4414944271b84832328e97f68929.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation NEAS.d48e4414944271b84832328e97f68929.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 5028 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.d48e4414944271b84832328e97f68929.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.d48e4414944271b84832328e97f68929.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.d48e4414944271b84832328e97f68929.exedescription pid process Token: SeIncBasePriorityPrivilege 2064 NEAS.d48e4414944271b84832328e97f68929.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.d48e4414944271b84832328e97f68929.execmd.exedescription pid process target process PID 2064 wrote to memory of 5028 2064 NEAS.d48e4414944271b84832328e97f68929.exe AdobeUpdate.exe PID 2064 wrote to memory of 5028 2064 NEAS.d48e4414944271b84832328e97f68929.exe AdobeUpdate.exe PID 2064 wrote to memory of 5028 2064 NEAS.d48e4414944271b84832328e97f68929.exe AdobeUpdate.exe PID 2064 wrote to memory of 928 2064 NEAS.d48e4414944271b84832328e97f68929.exe cmd.exe PID 2064 wrote to memory of 928 2064 NEAS.d48e4414944271b84832328e97f68929.exe cmd.exe PID 2064 wrote to memory of 928 2064 NEAS.d48e4414944271b84832328e97f68929.exe cmd.exe PID 928 wrote to memory of 2448 928 cmd.exe PING.EXE PID 928 wrote to memory of 2448 928 cmd.exe PING.EXE PID 928 wrote to memory of 2448 928 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d48e4414944271b84832328e97f68929.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d48e4414944271b84832328e97f68929.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.d48e4414944271b84832328e97f68929.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5eba4c97b25c1b181329b61313618b72e
SHA1f3215dea4610bbdadcdcd1e5c656478e48558585
SHA2562e6830d425b5f72d99b5f9bcf642e5079b2cad6328bf5ef527ee1c53ed1a67c8
SHA512c7a8c3d96b161105a63a7833e0f24db1f8749397ebe997960506e3341743f46b7c2759fc7d2dadadd2709bf1e48a6b3b710dfa73a439dc959bb21f6b7b6e0236
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5eba4c97b25c1b181329b61313618b72e
SHA1f3215dea4610bbdadcdcd1e5c656478e48558585
SHA2562e6830d425b5f72d99b5f9bcf642e5079b2cad6328bf5ef527ee1c53ed1a67c8
SHA512c7a8c3d96b161105a63a7833e0f24db1f8749397ebe997960506e3341743f46b7c2759fc7d2dadadd2709bf1e48a6b3b710dfa73a439dc959bb21f6b7b6e0236