Analysis
-
max time kernel
142s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe
Resource
win10v2004-en-20220112
General
-
Target
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe
-
Size
816KB
-
MD5
7179c01d287ea46e21056c636762968e
-
SHA1
a415e62ffb1aa36634d5829e4860440f98623358
-
SHA256
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
-
SHA512
875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000021835-255.dat family_kutaki behavioral2/files/0x0007000000021835-256.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
avffqdch.exepid Process 3944 avffqdch.exe -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 2 IoCs
Processes:
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avffqdch.exe c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avffqdch.exe c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspaint.exepid Process 3652 mspaint.exe 3652 mspaint.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exemspaint.exeavffqdch.exepid Process 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 3652 mspaint.exe 3652 mspaint.exe 3652 mspaint.exe 3652 mspaint.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe 3944 avffqdch.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.execmd.exedescription pid Process procid_target PID 700 wrote to memory of 2720 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 56 PID 700 wrote to memory of 2720 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 56 PID 700 wrote to memory of 2720 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 56 PID 2720 wrote to memory of 3652 2720 cmd.exe 58 PID 2720 wrote to memory of 3652 2720 cmd.exe 58 PID 2720 wrote to memory of 3652 2720 cmd.exe 58 PID 700 wrote to memory of 3944 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 70 PID 700 wrote to memory of 3944 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 70 PID 700 wrote to memory of 3944 700 c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe"C:\Users\Admin\AppData\Local\Temp\c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avffqdch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avffqdch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3944
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f7d67dc6c46a842ea90747b9424e3464 BGQEXfaXXUSNy+AvXw5Ntg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
PID:3408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7179c01d287ea46e21056c636762968e
SHA1a415e62ffb1aa36634d5829e4860440f98623358
SHA256c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
SHA512875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc
-
MD5
7179c01d287ea46e21056c636762968e
SHA1a415e62ffb1aa36634d5829e4860440f98623358
SHA256c1a4f8840c7d3c16fa5bb0b52507a501da19dff827fff7b64778f24726d8d5c9
SHA512875034e75889847861f603afada2ea5a7ebc1058e84dea5759dd8528055ad48cfd2b64bca3109721ccc2a16f171b8368649603955d69583380ec1400e5b34dfc