Analysis
-
max time kernel
73s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe
Resource
win7-20220414-en
General
-
Target
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe
-
Size
568KB
-
MD5
3acd878dcad8af0f84eae82ae801b654
-
SHA1
14931b89a4adada1d61e9aa3d437ce74045898ce
-
SHA256
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09
-
SHA512
934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
gxrskuch.exepid process 1528 gxrskuch.exe -
Drops startup file 2 IoCs
Processes:
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe -
Loads dropped DLL 2 IoCs
Processes:
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exepid process 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
gxrskuch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum gxrskuch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 gxrskuch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exegxrskuch.exepid process 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe 1528 gxrskuch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exedescription pid process target process PID 1976 wrote to memory of 1304 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe cmd.exe PID 1976 wrote to memory of 1304 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe cmd.exe PID 1976 wrote to memory of 1304 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe cmd.exe PID 1976 wrote to memory of 1304 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe cmd.exe PID 1976 wrote to memory of 1528 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe gxrskuch.exe PID 1976 wrote to memory of 1528 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe gxrskuch.exe PID 1976 wrote to memory of 1528 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe gxrskuch.exe PID 1976 wrote to memory of 1528 1976 bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe gxrskuch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe"C:\Users\Admin\AppData\Local\Temp\bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1304
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gxrskuch.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
PID:1528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568KB
MD53acd878dcad8af0f84eae82ae801b654
SHA114931b89a4adada1d61e9aa3d437ce74045898ce
SHA256bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09
SHA512934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6
-
Filesize
568KB
MD53acd878dcad8af0f84eae82ae801b654
SHA114931b89a4adada1d61e9aa3d437ce74045898ce
SHA256bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09
SHA512934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6
-
Filesize
568KB
MD53acd878dcad8af0f84eae82ae801b654
SHA114931b89a4adada1d61e9aa3d437ce74045898ce
SHA256bf51b56b57a92f9c4593337428209f032afa0b4df571190f99e4368415e42a09
SHA512934131e128f7ed31b92e7340100b6a50d1fa40482c3ea8fbff91f21cc6718fc7cc66eaf235d5746d51ba22872a499c1f659c69477bf07f3d60ac1bb6a74075c6