Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 15:17
Behavioral task
behavioral1
Sample
d4c5737c0af19dce355a6cea4b155d83.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d4c5737c0af19dce355a6cea4b155d83.exe
Resource
win10v2004-20231215-en
General
-
Target
d4c5737c0af19dce355a6cea4b155d83.exe
-
Size
92KB
-
MD5
d4c5737c0af19dce355a6cea4b155d83
-
SHA1
7dbaabc81908474c6d2b7344066a52c17d782de1
-
SHA256
dbaf2510b30e72e842f27bc9e5d132ac49adfe20053dc8baee2c2ee6c929631e
-
SHA512
bed5c7f31dd58c19b5942f1b134427f0ae320bb272dcc3e35f6a1dd32ee4cba3b3d38fa06cf7e5b5e37d97cad6a9a5e72f690cdefa224e5b97ad56e85549c422
-
SSDEEP
1536:TJbCiJVkgMaT2itTkjoRXnM48dXFajVPYxCEtkz30rtrzv:9bfVk29te2jqxCEtg30BX
Malware Config
Extracted
sakula
www.savmpet.com
Signatures
-
Sakula payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe family_sakula -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2624 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeUpdate.exepid process 1264 AdobeUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
d4c5737c0af19dce355a6cea4b155d83.exeAdobeUpdate.exepid process 2456 d4c5737c0af19dce355a6cea4b155d83.exe 1264 AdobeUpdate.exe 1264 AdobeUpdate.exe 1264 AdobeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d4c5737c0af19dce355a6cea4b155d83.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\AdobeUpdate.exe" d4c5737c0af19dce355a6cea4b155d83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d4c5737c0af19dce355a6cea4b155d83.exedescription pid process Token: SeIncBasePriorityPrivilege 2456 d4c5737c0af19dce355a6cea4b155d83.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d4c5737c0af19dce355a6cea4b155d83.execmd.exedescription pid process target process PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 1264 2456 d4c5737c0af19dce355a6cea4b155d83.exe AdobeUpdate.exe PID 2456 wrote to memory of 2624 2456 d4c5737c0af19dce355a6cea4b155d83.exe cmd.exe PID 2456 wrote to memory of 2624 2456 d4c5737c0af19dce355a6cea4b155d83.exe cmd.exe PID 2456 wrote to memory of 2624 2456 d4c5737c0af19dce355a6cea4b155d83.exe cmd.exe PID 2456 wrote to memory of 2624 2456 d4c5737c0af19dce355a6cea4b155d83.exe cmd.exe PID 2624 wrote to memory of 2656 2624 cmd.exe PING.EXE PID 2624 wrote to memory of 2656 2624 cmd.exe PING.EXE PID 2624 wrote to memory of 2656 2624 cmd.exe PING.EXE PID 2624 wrote to memory of 2656 2624 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4c5737c0af19dce355a6cea4b155d83.exe"C:\Users\Admin\AppData\Local\Temp\d4c5737c0af19dce355a6cea4b155d83.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\AdobeUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\d4c5737c0af19dce355a6cea4b155d83.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5712bd847c1a714d9e2b121592af7fbb2
SHA11c5d6014d9017c83cf96d83986041d38cc8ef192
SHA25671b2a8816ce64da325d13fd4eb1702c5e966952fedecc173f6fc2cd5ec2855a5
SHA512755d73ccee47b6893ace7b4d1dd17751a99adf2aa36eb2027522b130b0130a418570d694522fe366af407b8155fd26b5af70fcc17c78203a22c74236a9231af9