Analysis
-
max time kernel
124s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-12-2021 03:49
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-en-20211014
General
-
Target
image.exe
-
Size
460KB
-
MD5
41272cf867595eea4c729a1e3d2c97f4
-
SHA1
1ee33f8015955ba97e422c6e7fa55949706dcc90
-
SHA256
0a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
-
SHA512
140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000400000001ab80-123.dat family_kutaki behavioral2/files/0x000400000001ab80-124.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
pvffkich.exepid Process 1440 pvffkich.exe -
Drops startup file 2 IoCs
Processes:
image.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pvffkich.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pvffkich.exe image.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 1184 mspaint.exe 1184 mspaint.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
image.exemspaint.exepvffkich.exepid Process 2800 image.exe 2800 image.exe 2800 image.exe 1184 mspaint.exe 1184 mspaint.exe 1184 mspaint.exe 1184 mspaint.exe 1440 pvffkich.exe 1440 pvffkich.exe 1440 pvffkich.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
image.execmd.exedescription pid Process procid_target PID 2800 wrote to memory of 3964 2800 image.exe 69 PID 2800 wrote to memory of 3964 2800 image.exe 69 PID 2800 wrote to memory of 3964 2800 image.exe 69 PID 3964 wrote to memory of 1184 3964 cmd.exe 71 PID 3964 wrote to memory of 1184 3964 cmd.exe 71 PID 3964 wrote to memory of 1184 3964 cmd.exe 71 PID 2800 wrote to memory of 1440 2800 image.exe 75 PID 2800 wrote to memory of 1440 2800 image.exe 75 PID 2800 wrote to memory of 1440 2800 image.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1184
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pvffkich.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pvffkich.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
41272cf867595eea4c729a1e3d2c97f4
SHA11ee33f8015955ba97e422c6e7fa55949706dcc90
SHA2560a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
SHA512140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f
-
MD5
41272cf867595eea4c729a1e3d2c97f4
SHA11ee33f8015955ba97e422c6e7fa55949706dcc90
SHA2560a135e636efd63a00b06c31ffb57a6ec40dd466d9ff8ad4a3b34763356b76d03
SHA512140f13f827bbc62eed5b85ef8ee576b85cef24aea7ac37ba74307a63e67b82f0b400116ddda514bf45cbf673124becd57808b6c11915608b3fb664646d266b5f