Malware Analysis Report

2024-11-30 11:25

Sample ID 220104-tqnx6ahcb4
Target RTGS_COPY.cmd
SHA256 b7cd89612804eefbea4cc01513408994f8ea65d03a2cd68d07da77d43afd787c
Tags
kutaki
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7cd89612804eefbea4cc01513408994f8ea65d03a2cd68d07da77d43afd787c

Threat Level: Known bad

The file RTGS_COPY.cmd was found to be: Known bad.

Malicious Activity Summary

kutaki

Kutaki Executable

Kutaki family

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-04 16:15

Signatures

Kutaki Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kutaki family

kutaki

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-04 16:15

Reported

2022-01-04 16:18

Platform

win7-en-20211208

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe"

Signatures

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe

"C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

memory/1928-55-0x0000000000220000-0x0000000000226000-memory.dmp

memory/1928-56-0x0000000000220000-0x000000000022A000-memory.dmp

memory/1928-57-0x0000000076511000-0x0000000076513000-memory.dmp

memory/708-58-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-04 16:15

Reported

2022-01-04 16:18

Platform

win10-en-20211208

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe

"C:\Users\Admin\AppData\Local\Temp\RTGS_COPY.cmd.exe"

Network

Country Destination Domain Proto
NL 52.109.88.36:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/2720-115-0x0000000000B50000-0x0000000000CA3000-memory.dmp

memory/2720-117-0x0000000000B51000-0x0000000000C4D000-memory.dmp