Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
20-11-2021 07:53
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-en-20211104
General
-
Target
image.exe
-
Size
592KB
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
-
SHA1
f433972fe7fb1b165eaedadb2d31193e94ba2d33
-
SHA256
c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
-
SHA512
918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000121fa-61.dat family_kutaki behavioral1/files/0x00070000000121fa-63.dat family_kutaki behavioral1/files/0x00070000000121fa-60.dat family_kutaki behavioral1/files/0x00070000000121fa-72.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
bkmqvfch.exepid Process 1816 bkmqvfch.exe -
Drops startup file 2 IoCs
Processes:
image.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkmqvfch.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkmqvfch.exe image.exe -
Loads dropped DLL 2 IoCs
Processes:
image.exepid Process 844 image.exe 844 image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
bkmqvfch.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main bkmqvfch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1044 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
image.exebkmqvfch.exepid Process 844 image.exe 844 image.exe 844 image.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe 1816 bkmqvfch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
image.exedescription pid Process procid_target PID 844 wrote to memory of 1248 844 image.exe 29 PID 844 wrote to memory of 1248 844 image.exe 29 PID 844 wrote to memory of 1248 844 image.exe 29 PID 844 wrote to memory of 1248 844 image.exe 29 PID 844 wrote to memory of 1816 844 image.exe 31 PID 844 wrote to memory of 1816 844 image.exe 31 PID 844 wrote to memory of 1816 844 image.exe 31 PID 844 wrote to memory of 1816 844 image.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:1248
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkmqvfch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkmqvfch.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
SHA1f433972fe7fb1b165eaedadb2d31193e94ba2d33
SHA256c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
SHA512918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
SHA1f433972fe7fb1b165eaedadb2d31193e94ba2d33
SHA256c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
SHA512918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
SHA1f433972fe7fb1b165eaedadb2d31193e94ba2d33
SHA256c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
SHA512918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
SHA1f433972fe7fb1b165eaedadb2d31193e94ba2d33
SHA256c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
SHA512918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65