Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-12-2021 08:55
Static task
static1
Behavioral task
behavioral1
Sample
image.exe
Resource
win7-en-20211208
General
-
Target
image.exe
-
Size
516KB
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
-
SHA1
0b41411bd1f52c115d77fc44815beed1b3cb749c
-
SHA256
d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
-
SHA512
9104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule behavioral1/files/0x000800000001223f-59.dat family_kutaki behavioral1/files/0x000800000001223f-60.dat family_kutaki behavioral1/files/0x000800000001223f-62.dat family_kutaki behavioral1/files/0x000800000001223f-72.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
gtvluech.exepid Process 568 gtvluech.exe -
Drops startup file 2 IoCs
Processes:
image.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtvluech.exe image.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtvluech.exe image.exe -
Loads dropped DLL 2 IoCs
Processes:
image.exepid Process 1448 image.exe 1448 image.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
gtvluech.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main gtvluech.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1632 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
image.exegtvluech.exepid Process 1448 image.exe 1448 image.exe 1448 image.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe 568 gtvluech.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
image.exedescription pid Process procid_target PID 1448 wrote to memory of 360 1448 image.exe 28 PID 1448 wrote to memory of 360 1448 image.exe 28 PID 1448 wrote to memory of 360 1448 image.exe 28 PID 1448 wrote to memory of 360 1448 image.exe 28 PID 1448 wrote to memory of 568 1448 image.exe 30 PID 1448 wrote to memory of 568 1448 image.exe 30 PID 1448 wrote to memory of 568 1448 image.exe 30 PID 1448 wrote to memory of 568 1448 image.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\image.exe"C:\Users\Admin\AppData\Local\Temp\image.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:360
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtvluech.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gtvluech.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:568
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d
-
MD5
c43b7d74eef3fa1c025f08939e9d4be2
SHA10b41411bd1f52c115d77fc44815beed1b3cb749c
SHA256d0fd86e3254a14f3b99d141b8512eae447cd716436ba8a192422596a2b0bb625
SHA5129104a982f97370c03a95955b86bd9c37681d2c5aed2ba46ed0f113d915dbd83b1d237c6c5b128e24c7a3a3dc01c11fded5ef9eecf217255da98dd0eea5ee4d3d