Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe
Resource
win7-20220414-en
General
-
Target
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe
-
Size
755KB
-
MD5
77f193dbefdabd317c13e70d24fba155
-
SHA1
efca7bcad227df76ba1f3997bc32a7e18c68999f
-
SHA256
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
-
SHA512
d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
hyuder.exepid process 2188 hyuder.exe -
Drops startup file 2 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
hyuder.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum hyuder.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 hyuder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exehyuder.exepid process 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe 2188 hyuder.exe 2188 hyuder.exe 2188 hyuder.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exedescription pid process target process PID 4904 wrote to memory of 4004 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 4904 wrote to memory of 4004 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 4904 wrote to memory of 4004 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe cmd.exe PID 4904 wrote to memory of 2188 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe PID 4904 wrote to memory of 2188 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe PID 4904 wrote to memory of 2188 4904 689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe hyuder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe"C:\Users\Admin\AppData\Local\Temp\689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:4004
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyuder.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:2188
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755KB
MD577f193dbefdabd317c13e70d24fba155
SHA1efca7bcad227df76ba1f3997bc32a7e18c68999f
SHA256689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
SHA512d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2
-
Filesize
755KB
MD577f193dbefdabd317c13e70d24fba155
SHA1efca7bcad227df76ba1f3997bc32a7e18c68999f
SHA256689a19bf9eed2b5458ee1ac3eb1b127500f658eee3acde9955efae97fb6ec32f
SHA512d5ee8b4e8ed3184fc0f4c9996364b20538f64ed1f29364d456a28284d845c1e4fd2bdffb17ccc0831644180eb007d1a1fa9943c2514633db2d8e44c543bc27a2