Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-07-2022 03:42
Static task
static1
Behavioral task
behavioral1
Sample
E-bill.exe
Resource
win7-20220414-en
General
-
Target
E-bill.exe
-
Size
968KB
-
MD5
e8f5b21f536286d5fb65297300f4b11f
-
SHA1
c21a5f1668385d581d5ddebdd9907be4c961383a
-
SHA256
e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e
-
SHA512
21d16e637bdb9849656f949e46b6f37ad1b3f5338555f514804467a30b75c4f6e574ac6058b7d1ec8235c57aa16b190acb532f3905cb2bbbb9f1ad6c4362df7b
Malware Config
Extracted
kutaki
http://ojorobia.club/laptop/laptop.php
http://terebinnahicc.club/sec/kool.txt
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjmfzpch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjmfzpch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
gjmfzpch.exepid process 3816 gjmfzpch.exe -
Drops startup file 2 IoCs
Processes:
E-bill.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjmfzpch.exe E-bill.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjmfzpch.exe E-bill.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
E-bill.exegjmfzpch.exepid process 2824 E-bill.exe 2824 E-bill.exe 2824 E-bill.exe 3816 gjmfzpch.exe 3816 gjmfzpch.exe 3816 gjmfzpch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
E-bill.exedescription pid process target process PID 2824 wrote to memory of 2856 2824 E-bill.exe cmd.exe PID 2824 wrote to memory of 2856 2824 E-bill.exe cmd.exe PID 2824 wrote to memory of 2856 2824 E-bill.exe cmd.exe PID 2824 wrote to memory of 3816 2824 E-bill.exe gjmfzpch.exe PID 2824 wrote to memory of 3816 2824 E-bill.exe gjmfzpch.exe PID 2824 wrote to memory of 3816 2824 E-bill.exe gjmfzpch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E-bill.exe"C:\Users\Admin\AppData\Local\Temp\E-bill.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:2856
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjmfzpch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjmfzpch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3816
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
968KB
MD5e8f5b21f536286d5fb65297300f4b11f
SHA1c21a5f1668385d581d5ddebdd9907be4c961383a
SHA256e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e
SHA51221d16e637bdb9849656f949e46b6f37ad1b3f5338555f514804467a30b75c4f6e574ac6058b7d1ec8235c57aa16b190acb532f3905cb2bbbb9f1ad6c4362df7b
-
Filesize
968KB
MD5e8f5b21f536286d5fb65297300f4b11f
SHA1c21a5f1668385d581d5ddebdd9907be4c961383a
SHA256e296a3f9af1ee967a9a919495e2a12917dd4077d794a54e25b9e16c02854a74e
SHA51221d16e637bdb9849656f949e46b6f37ad1b3f5338555f514804467a30b75c4f6e574ac6058b7d1ec8235c57aa16b190acb532f3905cb2bbbb9f1ad6c4362df7b