Analysis
-
max time kernel
129s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-11-2021 07:53
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-en-20211104
General
-
Target
image.exe
-
Size
592KB
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
-
SHA1
f433972fe7fb1b165eaedadb2d31193e94ba2d33
-
SHA256
c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
-
SHA512
918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000600000001abc9-120.dat family_kutaki behavioral2/files/0x000600000001abc9-121.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
ppnoybch.exepid Process 1872 ppnoybch.exe -
Drops startup file 2 IoCs
Processes:
image.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ppnoybch.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ppnoybch.exe image.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 2312 mspaint.exe 2312 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
image.exemspaint.exeppnoybch.exepid Process 3288 image.exe 3288 image.exe 3288 image.exe 2312 mspaint.exe 2312 mspaint.exe 2312 mspaint.exe 2312 mspaint.exe 1872 ppnoybch.exe 1872 ppnoybch.exe 1872 ppnoybch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
image.execmd.exedescription pid Process procid_target PID 3288 wrote to memory of 1268 3288 image.exe 69 PID 3288 wrote to memory of 1268 3288 image.exe 69 PID 3288 wrote to memory of 1268 3288 image.exe 69 PID 1268 wrote to memory of 2312 1268 cmd.exe 71 PID 1268 wrote to memory of 2312 1268 cmd.exe 71 PID 1268 wrote to memory of 2312 1268 cmd.exe 71 PID 3288 wrote to memory of 1872 3288 image.exe 75 PID 3288 wrote to memory of 1872 3288 image.exe 75 PID 3288 wrote to memory of 1872 3288 image.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ppnoybch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ppnoybch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:3964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
SHA1f433972fe7fb1b165eaedadb2d31193e94ba2d33
SHA256c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
SHA512918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65
-
MD5
e4cc7fb761fc4110b631dbabf46363e1
SHA1f433972fe7fb1b165eaedadb2d31193e94ba2d33
SHA256c0478341ec19cae4fd4093d53e9cc777210ad57122836f4aa911addeacc911f9
SHA512918178d680dadb3929a1a399717914fd3539925a933da42d259f0516c929f6241ab6fb3f8d1d7ee2d7b3f47758ec1455f4f6189f2a43ecc55fe4a45f2990ae65