Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
05-12-2021 03:49
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-en-20211014
General
-
Target
image.exe
-
Size
460KB
-
MD5
41272cf867595eea4c729a1e3d2c97f4
-
SHA1
1ee33f8015955ba97e422c6e7fa55949706dcc90
-
SHA256
0a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
-
SHA512
140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000121ef-60.dat family_kutaki behavioral1/files/0x00070000000121ef-61.dat family_kutaki behavioral1/files/0x00070000000121ef-63.dat family_kutaki behavioral1/files/0x00070000000121ef-72.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
wwkbyfch.exepid Process 1180 wwkbyfch.exe -
Drops startup file 2 IoCs
Processes:
image.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwkbyfch.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwkbyfch.exe image.exe -
Loads dropped DLL 2 IoCs
Processes:
image.exepid Process 460 image.exe 460 image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wwkbyfch.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main wwkbyfch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1768 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
image.exewwkbyfch.exepid Process 460 image.exe 460 image.exe 460 image.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe 1180 wwkbyfch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
image.exedescription pid Process procid_target PID 460 wrote to memory of 328 460 image.exe 29 PID 460 wrote to memory of 328 460 image.exe 29 PID 460 wrote to memory of 328 460 image.exe 29 PID 460 wrote to memory of 328 460 image.exe 29 PID 460 wrote to memory of 1180 460 image.exe 31 PID 460 wrote to memory of 1180 460 image.exe 31 PID 460 wrote to memory of 1180 460 image.exe 31 PID 460 wrote to memory of 1180 460 image.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:328
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwkbyfch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwkbyfch.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1180
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
41272cf867595eea4c729a1e3d2c97f4
SHA11ee33f8015955ba97e422c6e7fa55949706dcc90
SHA2560a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
SHA512140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f
-
MD5
41272cf867595eea4c729a1e3d2c97f4
SHA11ee33f8015955ba97e422c6e7fa55949706dcc90
SHA2560a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
SHA512140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f
-
MD5
41272cf867595eea4c729a1e3d2c97f4
SHA11ee33f8015955ba97e422c6e7fa55949706dcc90
SHA2560a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
SHA512140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f
-
MD5
41272cf867595eea4c729a1e3d2c97f4
SHA11ee33f8015955ba97e422c6e7fa55949706dcc90
SHA2560a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
SHA512140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f