Analysis
-
max time kernel
127s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe
Resource
win7-20220414-en
General
-
Target
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe
-
Size
740KB
-
MD5
1ba628a1b76f3a2f4133f94c7c18f91c
-
SHA1
876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
-
SHA256
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
-
SHA512
219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24
Malware Config
Signatures
-
Kutaki Executable 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe family_kutaki \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
uytvaych.exepid process 1008 uytvaych.exe -
Drops startup file 2 IoCs
Processes:
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe -
Loads dropped DLL 2 IoCs
Processes:
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exepid process 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exeuytvaych.exepid process 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe 1008 uytvaych.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exedescription pid process target process PID 880 wrote to memory of 1176 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe cmd.exe PID 880 wrote to memory of 1176 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe cmd.exe PID 880 wrote to memory of 1176 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe cmd.exe PID 880 wrote to memory of 1176 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe cmd.exe PID 880 wrote to memory of 1008 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe uytvaych.exe PID 880 wrote to memory of 1008 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe uytvaych.exe PID 880 wrote to memory of 1008 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe uytvaych.exe PID 880 wrote to memory of 1008 880 408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe uytvaych.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe"C:\Users\Admin\AppData\Local\Temp\408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:1176
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uytvaych.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
740KB
MD51ba628a1b76f3a2f4133f94c7c18f91c
SHA1876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
SHA256408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
SHA512219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24
-
Filesize
740KB
MD51ba628a1b76f3a2f4133f94c7c18f91c
SHA1876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
SHA256408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
SHA512219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24
-
Filesize
740KB
MD51ba628a1b76f3a2f4133f94c7c18f91c
SHA1876664b10a1fc68dba94efbb6aaa9f8eae3d1fac
SHA256408e62f6612f1ace5d52c48c850a16881504dd50dd3af9bfc245bae8cb7cfeb0
SHA512219a3a6e8cea16a58b90d7e2a044c4e7e26145e7e33c5a73033e382b2ccd8f8e16767af8af22f7f1db973733619a03e5cce1a4c2327f2d8f79db67f534f67e24