Analysis
-
max time kernel
124s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 07:14
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7v20201028
General
-
Target
Payment.exe
-
Size
752KB
-
MD5
55cb3b1b1f6fcb56f0e8d26cb8a4b8f2
-
SHA1
ce7013abac9be7c9ad1b700e8a3c735b97392819
-
SHA256
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
-
SHA512
a7c8e2f47bada4a62dca21ce900ad71dcdcf61011873e494603970102e9fbcb0fc8365c437c1c5f3f1f946cd78a6fc2a243df641b75df72b85910f06b98890f2
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
idaoalch.exepid process 4300 idaoalch.exe -
Drops startup file 2 IoCs
Processes:
Payment.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exe Payment.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exe Payment.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid process 3712 mspaint.exe 3712 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Payment.exemspaint.exeidaoalch.exepid process 4708 Payment.exe 4708 Payment.exe 4708 Payment.exe 3712 mspaint.exe 3712 mspaint.exe 3712 mspaint.exe 3712 mspaint.exe 4300 idaoalch.exe 4300 idaoalch.exe 4300 idaoalch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment.execmd.exedescription pid process target process PID 4708 wrote to memory of 3444 4708 Payment.exe cmd.exe PID 4708 wrote to memory of 3444 4708 Payment.exe cmd.exe PID 4708 wrote to memory of 3444 4708 Payment.exe cmd.exe PID 3444 wrote to memory of 3712 3444 cmd.exe mspaint.exe PID 3444 wrote to memory of 3712 3444 cmd.exe mspaint.exe PID 3444 wrote to memory of 3712 3444 cmd.exe mspaint.exe PID 4708 wrote to memory of 4300 4708 Payment.exe idaoalch.exe PID 4708 wrote to memory of 4300 4708 Payment.exe idaoalch.exe PID 4708 wrote to memory of 4300 4708 Payment.exe idaoalch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Receipt.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exeMD5
55cb3b1b1f6fcb56f0e8d26cb8a4b8f2
SHA1ce7013abac9be7c9ad1b700e8a3c735b97392819
SHA2568179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
SHA512a7c8e2f47bada4a62dca21ce900ad71dcdcf61011873e494603970102e9fbcb0fc8365c437c1c5f3f1f946cd78a6fc2a243df641b75df72b85910f06b98890f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idaoalch.exeMD5
55cb3b1b1f6fcb56f0e8d26cb8a4b8f2
SHA1ce7013abac9be7c9ad1b700e8a3c735b97392819
SHA2568179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
SHA512a7c8e2f47bada4a62dca21ce900ad71dcdcf61011873e494603970102e9fbcb0fc8365c437c1c5f3f1f946cd78a6fc2a243df641b75df72b85910f06b98890f2
-
memory/3444-4-0x0000000000000000-mapping.dmp
-
memory/3712-5-0x0000000000000000-mapping.dmp
-
memory/4300-6-0x0000000000000000-mapping.dmp