Analysis
-
max time kernel
281s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-07-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
RTGS_Payment.exe
Resource
win7-20220414-en
General
-
Target
RTGS_Payment.exe
-
Size
968KB
-
MD5
a6e5804f4d6a9a2a823a70ad37db3716
-
SHA1
f20ce20488fb607162285b0ccac95bc965bf116d
-
SHA256
5f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
-
SHA512
cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
Malware Config
Signatures
-
Kutaki Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmbdepch.exe family_kutaki C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmbdepch.exe family_kutaki -
Executes dropped EXE 1 IoCs
Processes:
nmbdepch.exepid process 4996 nmbdepch.exe -
Drops startup file 2 IoCs
Processes:
RTGS_Payment.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmbdepch.exe RTGS_Payment.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmbdepch.exe RTGS_Payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
RTGS_Payment.exenmbdepch.exepid process 2596 RTGS_Payment.exe 2596 RTGS_Payment.exe 2596 RTGS_Payment.exe 4996 nmbdepch.exe 4996 nmbdepch.exe 4996 nmbdepch.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
RTGS_Payment.exedescription pid process target process PID 2596 wrote to memory of 3688 2596 RTGS_Payment.exe cmd.exe PID 2596 wrote to memory of 3688 2596 RTGS_Payment.exe cmd.exe PID 2596 wrote to memory of 3688 2596 RTGS_Payment.exe cmd.exe PID 2596 wrote to memory of 4996 2596 RTGS_Payment.exe nmbdepch.exe PID 2596 wrote to memory of 4996 2596 RTGS_Payment.exe nmbdepch.exe PID 2596 wrote to memory of 4996 2596 RTGS_Payment.exe nmbdepch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RTGS_Payment.exe"C:\Users\Admin\AppData\Local\Temp\RTGS_Payment.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:3688
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmbdepch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmbdepch.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4996
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be
-
Filesize
968KB
MD5a6e5804f4d6a9a2a823a70ad37db3716
SHA1f20ce20488fb607162285b0ccac95bc965bf116d
SHA2565f7e2c3aca868d28e2321913fee896d84b6e648e9289c2dacecd5bf85f7ee743
SHA512cdea1a027cb63173035c4d0d681ad1bd0c63bb2f0a722d6d5316aaae9e474b2e9d0b21cf7f74388ff348133deab4aab92f431d125db79e8134b98d93c26ba4be