Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 13:08
Behavioral task
behavioral1
Sample
NEAS.4ec630cb3c17ea868f7684de52474290.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.4ec630cb3c17ea868f7684de52474290.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.4ec630cb3c17ea868f7684de52474290.exe
-
Size
101KB
-
MD5
4ec630cb3c17ea868f7684de52474290
-
SHA1
f1341276ad3ecc993872f479aef8a03a72a0dd33
-
SHA256
b5fc2ab9a024851867a3bd70e662db6fd1ce3ef724c77f2b39bbda7f13407585
-
SHA512
635af0624ed899dd5955025989e883de099f150bd3c7133fcb07670bb4ca06b9002dffea91c1db9bdea7a2398ef4980ce0bb79743696eeb3d6a1383c0093e604
-
SSDEEP
1536:9JbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrfPTEzW:/bfVk29te2jqxCEtg30BLbEq
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.4ec630cb3c17ea868f7684de52474290.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation NEAS.4ec630cb3c17ea868f7684de52474290.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 4644 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEAS.4ec630cb3c17ea868f7684de52474290.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" NEAS.4ec630cb3c17ea868f7684de52474290.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.4ec630cb3c17ea868f7684de52474290.exedescription pid process Token: SeIncBasePriorityPrivilege 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.4ec630cb3c17ea868f7684de52474290.execmd.exedescription pid process target process PID 1480 wrote to memory of 4644 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe AdobeUpdate.exe PID 1480 wrote to memory of 4644 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe AdobeUpdate.exe PID 1480 wrote to memory of 4644 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe AdobeUpdate.exe PID 1480 wrote to memory of 4420 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe cmd.exe PID 1480 wrote to memory of 4420 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe cmd.exe PID 1480 wrote to memory of 4420 1480 NEAS.4ec630cb3c17ea868f7684de52474290.exe cmd.exe PID 4420 wrote to memory of 3524 4420 cmd.exe PING.EXE PID 4420 wrote to memory of 3524 4420 cmd.exe PING.EXE PID 4420 wrote to memory of 3524 4420 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4ec630cb3c17ea868f7684de52474290.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4ec630cb3c17ea868f7684de52474290.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\NEAS.4ec630cb3c17ea868f7684de52474290.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5371def4aee3e04b104931e250fb0db3e
SHA18336a3315f02adac3e1d0a0edd06931ef8a7475e
SHA256b3e5385edd44c55293d96ea4ce0655efb9902f41ba775ab3e94c2ffc468a055d
SHA512e55482c1a186f51ad3c3d3adcd3808157b742f61894ea2bae8f4eeaac70153257ea7583878a3ce1e95c0e617fef6cf2f3a39a9e4f7e6f063620693ee6cfd3431
-
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
101KB
MD5371def4aee3e04b104931e250fb0db3e
SHA18336a3315f02adac3e1d0a0edd06931ef8a7475e
SHA256b3e5385edd44c55293d96ea4ce0655efb9902f41ba775ab3e94c2ffc468a055d
SHA512e55482c1a186f51ad3c3d3adcd3808157b742f61894ea2bae8f4eeaac70153257ea7583878a3ce1e95c0e617fef6cf2f3a39a9e4f7e6f063620693ee6cfd3431