Analysis
-
max time kernel
124s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-12-2021 01:23
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-en-20211208
General
-
Target
image.exe
-
Size
516KB
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
-
SHA1
0b41411bd1f52c115d77fc44815beed1b3cb749c
-
SHA256
d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
-
SHA512
9104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000013225-58.dat family_kutaki behavioral1/files/0x0007000000013225-59.dat family_kutaki behavioral1/files/0x0007000000013225-62.dat family_kutaki behavioral1/files/0x0007000000013225-71.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
vzfuwech.exepid Process 1732 vzfuwech.exe -
Drops startup file 2 IoCs
Processes:
image.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vzfuwech.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vzfuwech.exe image.exe -
Loads dropped DLL 2 IoCs
Processes:
image.exepid Process 288 image.exe 288 image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
vzfuwech.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main vzfuwech.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 2000 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
image.exevzfuwech.exepid Process 288 image.exe 288 image.exe 288 image.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe 1732 vzfuwech.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
image.exedescription pid Process procid_target PID 288 wrote to memory of 1624 288 image.exe 28 PID 288 wrote to memory of 1624 288 image.exe 28 PID 288 wrote to memory of 1624 288 image.exe 28 PID 288 wrote to memory of 1624 288 image.exe 28 PID 288 wrote to memory of 1732 288 image.exe 30 PID 288 wrote to memory of 1732 288 image.exe 30 PID 288 wrote to memory of 1732 288 image.exe 30 PID 288 wrote to memory of 1732 288 image.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:1624
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vzfuwech.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vzfuwech.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d