Analysis
-
max time kernel
129s -
max time network
76s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
05-08-2020 08:25
Static task
static1
Behavioral task
behavioral1
Sample
New Order.scr
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
New Order.scr
-
Size
632KB
-
MD5
5cd9d49f5cad5e0910e90ce8183b4366
-
SHA1
c457eb69ef65e0c02c330f5f2fb0e6e47b8d6a7b
-
SHA256
1de49d29d2f5c485ef935ce6f50176272745d32d258f5996f029f4e78a614af7
-
SHA512
87a5aff468b8243e4d542dc6fd639bcf4c3e5b54b9d17c27b4605c9fdafb045a078653d049c96ef3bbfcfdf7feef7f58033da85be98d76c621c3fe5ab13cf65d
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ad55-4.dat family_kutaki behavioral2/files/0x000500000001ad55-5.dat family_kutaki -
Executes dropped EXE 1 IoCs
pid Process 1116 ygmyrwch.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe New Order.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe New Order.scr -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1568 New Order.scr 1568 New Order.scr 1568 New Order.scr 1116 ygmyrwch.exe 1116 ygmyrwch.exe 1116 ygmyrwch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1568 wrote to memory of 656 1568 New Order.scr 67 PID 1568 wrote to memory of 656 1568 New Order.scr 67 PID 1568 wrote to memory of 656 1568 New Order.scr 67 PID 1568 wrote to memory of 1116 1568 New Order.scr 69 PID 1568 wrote to memory of 1116 1568 New Order.scr 69 PID 1568 wrote to memory of 1116 1568 New Order.scr 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.scr"C:\Users\Admin\AppData\Local\Temp\New Order.scr" /S1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:656
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygmyrwch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116
-