Analysis
-
max time kernel
150s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe
Resource
win7-20220414-en
General
-
Target
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe
-
Size
755KB
-
MD5
77f193dbefdabd317c13e70d24fba155
-
SHA1
efca7bcad227df76ba1f3997bc32a7e18c68999f
-
SHA256
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
-
SHA512
d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2
Malware Config
Signatures
-
Kutaki Executable 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
hyuder.exepid process 996 hyuder.exe -
Drops startup file 2 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe -
Loads dropped DLL 2 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exepid process 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
hyuder.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum hyuder.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 hyuder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
hyuder.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main hyuder.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exehyuder.exepid process 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 996 hyuder.exe 996 hyuder.exe 996 hyuder.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exedescription pid process target process PID 1552 wrote to memory of 1456 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 1552 wrote to memory of 1456 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 1552 wrote to memory of 1456 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 1552 wrote to memory of 1456 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 1552 wrote to memory of 996 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe PID 1552 wrote to memory of 996 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe PID 1552 wrote to memory of 996 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe PID 1552 wrote to memory of 996 1552 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe"C:\Users\Admin\AppData\Local\Temp\689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1456
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:996
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755KB
MD577f193dbefdabd317c13e70d24fba155
SHA1efca7bcad227df76ba1f3997bc32a7e18c68999f
SHA256689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
SHA512d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2
-
Filesize
755KB
MD577f193dbefdabd317c13e70d24fba155
SHA1efca7bcad227df76ba1f3997bc32a7e18c68999f
SHA256689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
SHA512d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2
-
Filesize
755KB
MD577f193dbefdabd317c13e70d24fba155
SHA1efca7bcad227df76ba1f3997bc32a7e18c68999f
SHA256689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
SHA512d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2
-
Filesize
755KB
MD577f193dbefdabd317c13e70d24fba155
SHA1efca7bcad227df76ba1f3997bc32a7e18c68999f
SHA256689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
SHA512d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2