Analysis Overview
SHA256
3c1e2dfa09d2c6087a2efaf78eb801cdc75359bfc5889e7c7fe73593028cc620
Threat Level: Known bad
The file 3c1e2dfa09d2c6087a2efaf78eb801cdc75359bfc5889e7c7fe73593028cc620 was found to be: Known bad.
Malicious Activity Summary
Kutaki family
Kutaki
Kutaki Executable
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Checks processor information in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-08 01:54
Signatures
Kutaki Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Kutaki family
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-08 01:54
Reported
2022-02-08 06:35
Platform
win7-en-20211208
Max time kernel
128s
Max time network
138s
Command Line
Signatures
Kutaki
Kutaki Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe | C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe | C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Network
Files
memory/1528-57-0x00000000769D1000-0x00000000769D3000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe
| MD5 | f94a939bae7c5e1d897253f792b052f7 |
| SHA1 | e21bfa3434858b47269ffbc5953760fefc9a7aec |
| SHA256 | f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c |
| SHA512 | 7a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe
| MD5 | f94a939bae7c5e1d897253f792b052f7 |
| SHA1 | e21bfa3434858b47269ffbc5953760fefc9a7aec |
| SHA256 | f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c |
| SHA512 | 7a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uvkbvych.exe
| MD5 | f94a939bae7c5e1d897253f792b052f7 |
| SHA1 | e21bfa3434858b47269ffbc5953760fefc9a7aec |
| SHA256 | f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c |
| SHA512 | 7a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97 |
memory/620-66-0x00000000021A0000-0x00000000021A2000-memory.dmp
memory/1100-67-0x0000000000120000-0x0000000000122000-memory.dmp
memory/1100-68-0x0000000000280000-0x0000000000281000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-08 01:54
Reported
2022-02-08 06:36
Platform
win10v2004-en-20220112
Max time kernel
166s
Max time network
172s
Command Line
Signatures
Kutaki
Kutaki Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe | C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe | C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.731359" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132889521168596312" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe"
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 72.21.91.29:80 | tcp | |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.184.216.226:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
| FR | 2.18.105.186:80 | go.microsoft.com | tcp |
| US | 8.8.8.8:53 | dmd.metaservices.microsoft.com | udp |
| US | 52.188.50.245:80 | dmd.metaservices.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe
| MD5 | f94a939bae7c5e1d897253f792b052f7 |
| SHA1 | e21bfa3434858b47269ffbc5953760fefc9a7aec |
| SHA256 | f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c |
| SHA512 | 7a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sxqwpdch.exe
| MD5 | f94a939bae7c5e1d897253f792b052f7 |
| SHA1 | e21bfa3434858b47269ffbc5953760fefc9a7aec |
| SHA256 | f0d9268622a5e43c670ccc556495668967dac426fab571b78aaf1c61632f633c |
| SHA512 | 7a8494329b238a7bed09ce32a247f1075f2e91b690b7c38e8417590a20233cbf382c2fbc8ab3cb6d0dcc0e8677934761db39659e8987f46c9c603ab909eb2f97 |