Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 01:09
Behavioral task
behavioral1
Sample
NEAS.f924cfab54736ef8f590a966dc99dbc0.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.f924cfab54736ef8f590a966dc99dbc0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.f924cfab54736ef8f590a966dc99dbc0.exe
-
Size
92KB
-
MD5
f924cfab54736ef8f590a966dc99dbc0
-
SHA1
b15e067c508ce804936bd75233f59c29320a62b4
-
SHA256
8c31ef5fc7051b47e6f00f3c307abc02c0725c9061a7f8b2e570931d6e60ed29
-
SHA512
4ba35fd8935a75c623c55dee6a449f314c94348880cd9b90e539cb7d1e1f6f1d784a9f2bcd6c1eb42e97577ce676e951be3ac963f6a316b011530aca4475b9c6
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrh:9bfVk29te2jqxCEtg30BV
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.f924cfab54736ef8f590a966dc99dbc0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.f924cfab54736ef8f590a966dc99dbc0.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 228 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.f924cfab54736ef8f590a966dc99dbc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.f924cfab54736ef8f590a966dc99dbc0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.f924cfab54736ef8f590a966dc99dbc0.exedescription pid process Token: SeIncBasePriorityPrivilege 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.f924cfab54736ef8f590a966dc99dbc0.execmd.exedescription pid process target process PID 564 wrote to memory of 228 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe AdobeUpdate.exe PID 564 wrote to memory of 228 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe AdobeUpdate.exe PID 564 wrote to memory of 228 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe AdobeUpdate.exe PID 564 wrote to memory of 2224 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe cmd.exe PID 564 wrote to memory of 2224 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe cmd.exe PID 564 wrote to memory of 2224 564 NEAS.f924cfab54736ef8f590a966dc99dbc0.exe cmd.exe PID 2224 wrote to memory of 1344 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1344 2224 cmd.exe PING.EXE PID 2224 wrote to memory of 1344 2224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f924cfab54736ef8f590a966dc99dbc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f924cfab54736ef8f590a966dc99dbc0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.f924cfab54736ef8f590a966dc99dbc0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD523a1d828733614d1b1860b294535f41f
SHA1891e614bba05db0765acc147a07aafdf0cbe738b
SHA2562cf3b4acc5674fa6f8f83a8f07c5578674a7811aaf214772be2fddf456fcc6db
SHA512a75a98b7f748a9960ff72e0141e9c56f765e3edab02399de732307fe0fd99d671a090fc28a6ffcdbf32afebe8a1bff98feca0decb64865513a58ae3e86298e98
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD523a1d828733614d1b1860b294535f41f
SHA1891e614bba05db0765acc147a07aafdf0cbe738b
SHA2562cf3b4acc5674fa6f8f83a8f07c5578674a7811aaf214772be2fddf456fcc6db
SHA512a75a98b7f748a9960ff72e0141e9c56f765e3edab02399de732307fe0fd99d671a090fc28a6ffcdbf32afebe8a1bff98feca0decb64865513a58ae3e86298e98