Analysis
-
max time kernel
122s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 13:43
Behavioral task
behavioral1
Sample
bb13440e420c51a76dc5d4c688c69abd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
bb13440e420c51a76dc5d4c688c69abd.exe
Resource
win10v2004-20231215-en
General
-
Target
bb13440e420c51a76dc5d4c688c69abd.exe
-
Size
92KB
-
MD5
bb13440e420c51a76dc5d4c688c69abd
-
SHA1
dae86a5db56ea239a1e238bd5d896e203a465f4f
-
SHA256
988d17354a90464443e357fa7f48c3330f497050c2c0830d9fbd73f327a83dd7
-
SHA512
f447aa55f48b6f7b3e0c9cc1c1e47ed61460fa8e6dd0b517e83f6634e917f4ac1b3148eedf67db01a37a530494e5efc42e494800d75714db2f7caf98b9314198
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrQ:9bfVk29te2jqxCEtg30BE
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2144 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1644 AdobeUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
bb13440e420c51a76dc5d4c688c69abd.exeAdobeUpdate.exepid process 1288 bb13440e420c51a76dc5d4c688c69abd.exe 1644 AdobeUpdate.exe 1644 AdobeUpdate.exe 1644 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bb13440e420c51a76dc5d4c688c69abd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" bb13440e420c51a76dc5d4c688c69abd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bb13440e420c51a76dc5d4c688c69abd.exedescription pid process Token: SeIncBasePriorityPrivilege 1288 bb13440e420c51a76dc5d4c688c69abd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
bb13440e420c51a76dc5d4c688c69abd.execmd.exedescription pid process target process PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 1644 1288 bb13440e420c51a76dc5d4c688c69abd.exe AdobeUpdate.exe PID 1288 wrote to memory of 2144 1288 bb13440e420c51a76dc5d4c688c69abd.exe cmd.exe PID 1288 wrote to memory of 2144 1288 bb13440e420c51a76dc5d4c688c69abd.exe cmd.exe PID 1288 wrote to memory of 2144 1288 bb13440e420c51a76dc5d4c688c69abd.exe cmd.exe PID 1288 wrote to memory of 2144 1288 bb13440e420c51a76dc5d4c688c69abd.exe cmd.exe PID 2144 wrote to memory of 1732 2144 cmd.exe PING.EXE PID 2144 wrote to memory of 1732 2144 cmd.exe PING.EXE PID 2144 wrote to memory of 1732 2144 cmd.exe PING.EXE PID 2144 wrote to memory of 1732 2144 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb13440e420c51a76dc5d4c688c69abd.exe"C:\Users\Admin\AppData\Local\Temp\bb13440e420c51a76dc5d4c688c69abd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\bb13440e420c51a76dc5d4c688c69abd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeFilesize
92KB
MD52fda0efd852becb9c5e082556e7a12e7
SHA1a5094e51b1a30bbad6eca09bd7c85cc774c89292
SHA25629dca11928d24e0f56849d21c24a7529a37eb9ba3c2e607516cd0245bfa06788
SHA512aad19bb894c1639e5b1b8cd5c9590e1dde6765e72d25b325378feb93666b3199203b2304bb360022d24d8bf34b738e68b72d2b9e3af32839066dff0e54cdf94a