Analysis
-
max time kernel
128s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 01:54
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-en-20211208
General
-
Target
Payment Receipt.exe
-
Size
532KB
-
MD5
f94a939bae7c5e1d897253f792b052f7
-
SHA1
e21bfa3434858b47269ffbc5953760fefc9a7aec
-
SHA256
f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c
-
SHA512
7a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000012247-59.dat family_kutaki behavioral1/files/0x0008000000012247-60.dat family_kutaki behavioral1/files/0x0008000000012247-61.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
uvkbvych.exepid Process 1248 uvkbvych.exe -
Drops startup file 2 IoCs
Processes:
Payment Receipt.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe Payment Receipt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe Payment Receipt.exe -
Loads dropped DLL 2 IoCs
Processes:
Payment Receipt.exepid Process 1528 Payment Receipt.exe 1528 Payment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid Process 1100 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
Payment Receipt.exeuvkbvych.exepid Process 1528 Payment Receipt.exe 1528 Payment Receipt.exe 1528 Payment Receipt.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe 1248 uvkbvych.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment Receipt.exedescription pid Process procid_target PID 1528 wrote to memory of 620 1528 Payment Receipt.exe 28 PID 1528 wrote to memory of 620 1528 Payment Receipt.exe 28 PID 1528 wrote to memory of 620 1528 Payment Receipt.exe 28 PID 1528 wrote to memory of 620 1528 Payment Receipt.exe 28 PID 1528 wrote to memory of 1248 1528 Payment Receipt.exe 30 PID 1528 wrote to memory of 1248 1528 Payment Receipt.exe 30 PID 1528 wrote to memory of 1248 1528 Payment Receipt.exe 30 PID 1528 wrote to memory of 1248 1528 Payment Receipt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:620
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f94a939bae7c5e1d897253f792b052f7
SHA1e21bfa3434858b47269ffbc5953760fefc9a7aec
SHA256f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c
SHA5127a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97
-
MD5
f94a939bae7c5e1d897253f792b052f7
SHA1e21bfa3434858b47269ffbc5953760fefc9a7aec
SHA256f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c
SHA5127a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97
-
MD5
f94a939bae7c5e1d897253f792b052f7
SHA1e21bfa3434858b47269ffbc5953760fefc9a7aec
SHA256f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c
SHA5127a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97