Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 17:55
Static task
static1
Behavioral task
behavioral1
Sample
tracking details.exe
Resource
win7v20201028
General
-
Target
tracking details.exe
-
Size
752KB
-
MD5
3c35fca6cb231d20cc04e6d8b2601010
-
SHA1
aecde409a20bdaa63be0570d5625938e7df50197
-
SHA256
e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
-
SHA512
0b7e2604adf2d89ef471336f8dd322c9f8b222e404aa68fbf67a13ced6ec0eb0a8c9968cb92401b44d2d4d1a1e53e51e7d8840f74ee4baec3f1d4b05d76d1d77
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
ggvotich.exepid process 788 ggvotich.exe -
Drops startup file 2 IoCs
Processes:
tracking details.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe tracking details.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe tracking details.exe -
Loads dropped DLL 2 IoCs
Processes:
tracking details.exepid process 2008 tracking details.exe 2008 tracking details.exe -
Suspicious use of SetWindowsHookEx 1052 IoCs
Processes:
tracking details.exeggvotich.exepid process 2008 tracking details.exe 2008 tracking details.exe 2008 tracking details.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe 788 ggvotich.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
tracking details.exedescription pid process target process PID 2008 wrote to memory of 824 2008 tracking details.exe cmd.exe PID 2008 wrote to memory of 824 2008 tracking details.exe cmd.exe PID 2008 wrote to memory of 824 2008 tracking details.exe cmd.exe PID 2008 wrote to memory of 824 2008 tracking details.exe cmd.exe PID 2008 wrote to memory of 788 2008 tracking details.exe ggvotich.exe PID 2008 wrote to memory of 788 2008 tracking details.exe ggvotich.exe PID 2008 wrote to memory of 788 2008 tracking details.exe ggvotich.exe PID 2008 wrote to memory of 788 2008 tracking details.exe ggvotich.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tracking details.exe"C:\Users\Admin\AppData\Local\Temp\tracking details.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exeMD5
3c35fca6cb231d20cc04e6d8b2601010
SHA1aecde409a20bdaa63be0570d5625938e7df50197
SHA256e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
SHA5120b7e2604adf2d89ef471336f8dd322c9f8b222e404aa68fbf67a13ced6ec0eb0a8c9968cb92401b44d2d4d1a1e53e51e7d8840f74ee4baec3f1d4b05d76d1d77
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exeMD5
3c35fca6cb231d20cc04e6d8b2601010
SHA1aecde409a20bdaa63be0570d5625938e7df50197
SHA256e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
SHA5120b7e2604adf2d89ef471336f8dd322c9f8b222e404aa68fbf67a13ced6ec0eb0a8c9968cb92401b44d2d4d1a1e53e51e7d8840f74ee4baec3f1d4b05d76d1d77
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggvotich.exeMD5
3c35fca6cb231d20cc04e6d8b2601010
SHA1aecde409a20bdaa63be0570d5625938e7df50197
SHA256e6cd47abf6c7c73449bd05329a0e30a48012c947d8762dd2429333af8d7bc198
SHA5120b7e2604adf2d89ef471336f8dd322c9f8b222e404aa68fbf67a13ced6ec0eb0a8c9968cb92401b44d2d4d1a1e53e51e7d8840f74ee4baec3f1d4b05d76d1d77
-
memory/788-8-0x0000000000000000-mapping.dmp
-
memory/824-5-0x0000000000000000-mapping.dmp
-
memory/2008-4-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB