Analysis
-
max time kernel
117s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21/02/2022, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Payment.exe
-
Size
752KB
-
MD5
55cb3b1b1f6fcb56f0e8d26cb8a4b8f2
-
SHA1
ce7013abac9be7c9ad1b700e8a3c735b97392819
-
SHA256
8179d2c371934e7f748fdf033d96a3b527158348e87ec21f1576136ede5d2d17
-
SHA512
a7c8e2f47bada4a62dca21ce900ad71dcdcf61011873e494603970102e9fbcb0fc8365c437c1c5f3f1f946cd78a6fc2a243df641b75df72b85910f06b98890f2
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
resource yara_rule behavioral1/files/0x000800000001227a-58.dat family_kutaki behavioral1/files/0x000800000001227a-60.dat family_kutaki behavioral1/files/0x000800000001227a-59.dat family_kutaki -
Executes dropped EXE 1 IoCs
pid Process 1228 wqtudrch.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqtudrch.exe Payment.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqtudrch.exe Payment.exe -
Loads dropped DLL 2 IoCs
pid Process 1620 Payment.exe 1620 Payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1136 DllHost.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1620 Payment.exe 1620 Payment.exe 1620 Payment.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe 1228 wqtudrch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 768 1620 Payment.exe 28 PID 1620 wrote to memory of 768 1620 Payment.exe 28 PID 1620 wrote to memory of 768 1620 Payment.exe 28 PID 1620 wrote to memory of 768 1620 Payment.exe 28 PID 1620 wrote to memory of 1228 1620 Payment.exe 30 PID 1620 wrote to memory of 1228 1620 Payment.exe 30 PID 1620 wrote to memory of 1228 1620 Payment.exe 30 PID 1620 wrote to memory of 1228 1620 Payment.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\Receipt.bmp2⤵PID:768
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqtudrch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqtudrch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1228
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1136