Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 12:08
Behavioral task
behavioral1
Sample
NEAS.64c843ed4bb28832a349736208ed4560_JC.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.64c843ed4bb28832a349736208ed4560_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.64c843ed4bb28832a349736208ed4560_JC.exe
-
Size
92KB
-
MD5
64c843ed4bb28832a349736208ed4560
-
SHA1
03b2aad465f86d5d243dce52221685256f1d07bf
-
SHA256
99694a73d47065a83988606733b3b647fd1a3dc59a0edf6bd7b5eedf9e1fe756
-
SHA512
d0d484de67afe9b9593a1c3d17bef3a357b62fbc8a46836373f6c9f8b58d02bc9d38714bc23bc2e0e18d58445b63b814af0468dc90210c085c5cd7e6612b9cb9
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrG:9bfVk29te2jqxCEtg30Bq
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.64c843ed4bb28832a349736208ed4560_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation NEAS.64c843ed4bb28832a349736208ed4560_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 2856 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.64c843ed4bb28832a349736208ed4560_JC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.64c843ed4bb28832a349736208ed4560_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.64c843ed4bb28832a349736208ed4560_JC.exedescription pid process Token: SeIncBasePriorityPrivilege 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.64c843ed4bb28832a349736208ed4560_JC.execmd.exedescription pid process target process PID 3804 wrote to memory of 2856 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe AdobeUpdate.exe PID 3804 wrote to memory of 2856 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe AdobeUpdate.exe PID 3804 wrote to memory of 2856 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe AdobeUpdate.exe PID 3804 wrote to memory of 5048 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe cmd.exe PID 3804 wrote to memory of 5048 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe cmd.exe PID 3804 wrote to memory of 5048 3804 NEAS.64c843ed4bb28832a349736208ed4560_JC.exe cmd.exe PID 5048 wrote to memory of 1808 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 1808 5048 cmd.exe PING.EXE PID 5048 wrote to memory of 1808 5048 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.64c843ed4bb28832a349736208ed4560_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.64c843ed4bb28832a349736208ed4560_JC.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.64c843ed4bb28832a349736208ed4560_JC.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5099a1fb9e2939c78732c48e1dd045dd6
SHA115fd8f1fa463a58bbe5bc627d83dd868413a966d
SHA256b11931b5a73ca73dc9c5b760629f300502335c00f87111d9e94a2d4dcf41dc54
SHA5126655a381877ab3d5aa3c14d1f4969d7367361059e423ed6c642840008060ea75cff611332051a9305dbb1be374472fb5450539e13d5cedfbac8a2b46c2cc2d0a
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD5099a1fb9e2939c78732c48e1dd045dd6
SHA115fd8f1fa463a58bbe5bc627d83dd868413a966d
SHA256b11931b5a73ca73dc9c5b760629f300502335c00f87111d9e94a2d4dcf41dc54
SHA5126655a381877ab3d5aa3c14d1f4969d7367361059e423ed6c642840008060ea75cff611332051a9305dbb1be374472fb5450539e13d5cedfbac8a2b46c2cc2d0a