Analysis
-
max time kernel
99s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 22:29
Static task
static1
Behavioral task
behavioral1
Sample
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe
Resource
win7-20220414-en
General
-
Target
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe
-
Size
1.3MB
-
MD5
8f83cdb6e2b59fd44ec017d706ba0cfb
-
SHA1
bae3855ba40c2c9854d357c335a79a41242ea92e
-
SHA256
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce
-
SHA512
23397905fa31dc0701389c8b6127f271f4dafb23a6e7ac64e594bd366b3dcc16ade37fbef9bbcb3d5d560b2ba1e192696034cf9a3dc7ef92634cac8796815675
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000008527-59.dat family_kutaki behavioral1/files/0x0009000000008527-62.dat family_kutaki behavioral1/files/0x0009000000008527-60.dat family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
nbrgaech.exepid Process 956 nbrgaech.exe -
Drops startup file 2 IoCs
Processes:
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbrgaech.exe 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbrgaech.exe 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe -
Loads dropped DLL 2 IoCs
Processes:
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exepid Process 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exenbrgaech.exepid Process 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe 956 nbrgaech.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exedescription pid Process procid_target PID 1928 wrote to memory of 1956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 29 PID 1928 wrote to memory of 1956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 29 PID 1928 wrote to memory of 1956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 29 PID 1928 wrote to memory of 1956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 29 PID 1928 wrote to memory of 956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 31 PID 1928 wrote to memory of 956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 31 PID 1928 wrote to memory of 956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 31 PID 1928 wrote to memory of 956 1928 7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe"C:\Users\Admin\AppData\Local\Temp\7c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1956
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbrgaech.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nbrgaech.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58f83cdb6e2b59fd44ec017d706ba0cfb
SHA1bae3855ba40c2c9854d357c335a79a41242ea92e
SHA2567c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce
SHA51223397905fa31dc0701389c8b6127f271f4dafb23a6e7ac64e594bd366b3dcc16ade37fbef9bbcb3d5d560b2ba1e192696034cf9a3dc7ef92634cac8796815675
-
Filesize
1.3MB
MD58f83cdb6e2b59fd44ec017d706ba0cfb
SHA1bae3855ba40c2c9854d357c335a79a41242ea92e
SHA2567c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce
SHA51223397905fa31dc0701389c8b6127f271f4dafb23a6e7ac64e594bd366b3dcc16ade37fbef9bbcb3d5d560b2ba1e192696034cf9a3dc7ef92634cac8796815675
-
Filesize
1.3MB
MD58f83cdb6e2b59fd44ec017d706ba0cfb
SHA1bae3855ba40c2c9854d357c335a79a41242ea92e
SHA2567c60245a65725dc1b28bf82709a4b292b729586da6a86ff9091cde5059b4a4ce
SHA51223397905fa31dc0701389c8b6127f271f4dafb23a6e7ac64e594bd366b3dcc16ade37fbef9bbcb3d5d560b2ba1e192696034cf9a3dc7ef92634cac8796815675