Analysis
-
max time kernel
120s -
max time network
22s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08/02/2022, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
Payment Receipt.exe
-
Size
532KB
-
MD5
70d06e14dfaa50cfbf369823178d2887
-
SHA1
0eefda0ded48f32522d9157577953c7ab73a02bb
-
SHA256
cb23f5a566bfa91b51d3ecd344e3f6025023463532fa4d5edf5d0785814529d7
-
SHA512
ab903159a23b96b01489a6fff11936fdf656e4932218913b19f57a975a0a13274b4c4149b13b5b1a096b821279f05e09d4e8a18d2f5db44a7b0d70b84527d197
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
resource yara_rule behavioral1/files/0x0007000000013327-58.dat family_kutaki behavioral1/files/0x0007000000013327-59.dat family_kutaki behavioral1/files/0x0007000000013327-60.dat family_kutaki -
Executes dropped EXE 1 IoCs
pid Process 336 gnixoych.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnixoych.exe Payment Receipt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnixoych.exe Payment Receipt.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 Payment Receipt.exe 1688 Payment Receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 952 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1688 Payment Receipt.exe 1688 Payment Receipt.exe 1688 Payment Receipt.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe 336 gnixoych.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1860 1688 Payment Receipt.exe 28 PID 1688 wrote to memory of 1860 1688 Payment Receipt.exe 28 PID 1688 wrote to memory of 1860 1688 Payment Receipt.exe 28 PID 1688 wrote to memory of 1860 1688 Payment Receipt.exe 28 PID 1688 wrote to memory of 336 1688 Payment Receipt.exe 30 PID 1688 wrote to memory of 336 1688 Payment Receipt.exe 30 PID 1688 wrote to memory of 336 1688 Payment Receipt.exe 30 PID 1688 wrote to memory of 336 1688 Payment Receipt.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment Receipt.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\NewBitmapImage.bmp2⤵PID:1860
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnixoych.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnixoych.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:336
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:952